A universal secrets manager
Project description
Mind Castle - Build a wall around your secrets
A universal store for your secret data. Don't delay securing you or your customer's data by deliberating over cloud secret stores. Mind Castle makes it easy to get started, and easy to switch between cloud secret stores.
Mind Castle currently supports:
- HashiCorp Vault
- AWS Secrets Manager
- In-memory and JSON stores that should only be used for testing/migration
Architecture
Mind Castle comes in three parts:
- A unified interface for several secret stores.
- An SQLAlchemy column type that transparently stores and retrieves secrets for you.
- A migration tool to convert your existing DB column data into secrets.
Some other notes:
- Mind Castle is configured and secret stores are initialised at import time. That means env-vars used for configuration need to be defined when Mind Castle is imported.
- Mind Castle makes no attempt to manage secrets in memory. Memory management in Python is futile, and if you need that level of control it's best to use another language.
Install
pip install mind-castle
Configure
You can configure Mind Castle by setting environment variables for your chosen secret store. To see what configuration options are required for each store:
$ python -m mind_castle
╭───────────────────────────────────────── MIND CASTLE ─────────────────────────────────────────╮
│ │
│ Secret Stores │
│ ┏━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓ │
│ ┃ Store Type ┃ Required env var ┃ Optional env var ┃ │
│ ┡━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩ │
│ │ memory │ │ │ │
│ │ │ │ │ │
│ │ plaintext │ │ │ │
│ │ │ │ │ │
│ │ awssecretsmanager │ MIND_CASTLE_AWS_REGION │ MIND_CASTLE_AWS_SECRET_KEY_PREFIX │ │
│ │ │ MIND_CASTLE_AWS_ACCESS_KEY_ID │ │ │
│ │ │ MIND_CASTLE_AWS_SECRET_ACCESS_KEY │ │ │
│ │ │ --- OR --- │ │ │
│ │ │ MIND_CASTLE_AWS_REGION │ MIND_CASTLE_AWS_SECRET_KEY_PREFIX │ │
│ │ │ MIND_CASTLE_AWS_USE_ENV_AUTH │ │ │
│ │ │ │ │ │
│ │ hashicorpvault │ MIND_CASTLE_VAULT_HOST │ │ │
│ │ │ MIND_CASTLE_VAULT_TOKEN │ │ │
│ │ │ │ │ │
│ │ json │ │ │ │
│ │ │ │ │ │
│ └───────────────────┴───────────────────────────────────┴───────────────────────────────────┘ │
╰───────────────────────────────────────────────────────────────────────────────────────────────╯
Use
Migrating Existing Data
A migration tool is provided to move your existing data into a secret store. The tool assumes you have a database that can be connected to using SQLAlchemy and create_engine(<db_uri>).
You will need to configure your selected secret store using environment variables as described above. You can see what other options the migration tool accepts with:
$ python migration_tool.py --help
Usage: migration_tool.py [OPTIONS] DB_URI
╭─ Arguments ─────────────────────────────────────────────────────────────────────────╮
│ * db_uri TEXT [default: None] [required] │
╰─────────────────────────────────────────────────────────────────────────────────────╯
╭─ Options ───────────────────────────────────────────────────────────────────────────╮
│ --target-table TEXT [default: None] │
│ --target-column TEXT [default: None] │
│ --dry-run --no-dry-run [default: dry-run] │
│ --demigrate --no-demigrate [default: no-demigrate] │
│ --to-secret-type TEXT [default: json] │
│ --help Show this message and exit. │
╰─────────────────────────────────────────────────────────────────────────────────────╯
The easiest thing to do is specify --to-secret-type and let the tool guide you through the rest. e.g.:
$ MIND_CASTLE_VAULT_HOST="http://127.0.0.1:8200" MIND_CASTLE_VAULT_TOKEN="<your_token>" python migration_tool.py "postgresql://<user>:<pass>@<host>:5432/<database>" --to-secret-type hashicorpvault
The tool will list tables and columns in the selected DB for you, and ask you to select each. Once a dry run is complete and you also have a backup of your database, you can add --no-dry-run to migrate the data for real.
SQLAlchemy Model
Once any existing data is migrated, you can update your SQLAlchemy model to include a SecretData column:
from mind_castle.sqlalchemy_type import SecretData
class MyDBModel(Base):
name = Column(String, nullable=False)
created_at = Column(DateTime, default=datetime.datetime.now)
secret_data = Column(SecretData("hashicorpvault"))
Your secrets will then be safely stored in Vault (or AWS, or anywhere else you like)! The storage and retrieval of secrets will be completely transparent to your application.
TODO
- Make migration script work for non-json columns
- Support deleting secrets when row is deleted
- Implement prefixes/folders for secrets
- Explain how secrets are stored
- Enforce tests on PR / branch protections
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file mind_castle-0.3.1.tar.gz.
File metadata
- Download URL: mind_castle-0.3.1.tar.gz
- Upload date:
- Size: 60.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.5.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
6aa067f69d9b8438606ab076da8ff134ec4064c57d07d46eed9a10e6d80786be
|
|
| MD5 |
67da568d83c44ce744fff9368603c7d7
|
|
| BLAKE2b-256 |
d86ebaa462c1937899e2db8a295d37b49cf592e94bfd889e4843633f5e4e2e7a
|
File details
Details for the file mind_castle-0.3.1-py3-none-any.whl.
File metadata
- Download URL: mind_castle-0.3.1-py3-none-any.whl
- Upload date:
- Size: 23.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.5.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
59ee2666906fd552c49af817494e3e1297f57c658b0e9b824cc05b0c178ce587
|
|
| MD5 |
e05860a2e69cffaa284bd46bdad9b27f
|
|
| BLAKE2b-256 |
dccc446bb447ae6093591902fa0e0f7d5e5a8d3a09c0583e9ad85cc9a5411d42
|
