Skip to main content

Load OCI Vault secrets into in-memory runtime INI config.

Project description

OCI Secret Helper

Load a named OCI Vault secret from Python or bash using instance principals.

The normal consumer inputs are:

  • vault_id: OCI Vault OCID
  • secret_name: name of the secret inside that Vault

See CHANGELOG.md for version history.

Install

Install from your package index:

python -m pip install \
  --index-url "https://PACKAGE_INDEX_HOST/path/to/simple" \
  oci-secret-helper==0.1.17

This package depends on oci>=2. The configured Artifactory index must host or proxy the OCI Python SDK, or the SDK must already be installed in the target environment.

This test-phase build supports Python 3.6 and newer. Before production, move requires-python back to >=3.9 and publish a new version.

Release Build

GitLab CI builds the wheel from the version in pyproject.toml:

version = "0.1.17"

Merge request pipelines run tests and build the wheel once for validation. When the change lands on the default branch, the pipeline runs tests, builds the wheel, and promotes it to the configured Artifactory PyPI repository.

Increment pyproject.toml for every change that should publish a new package version:

version = "0.1.18"

Artifactory rejects duplicate package versions, so the default-branch promote job expects the package version to be new.

Branch pipelines are suppressed when a merge request pipeline exists, so test and build do not run twice for the same commit.

The promote job requires these protected GitLab CI/CD variables:

ARTIFACTORY_PYPI_REPOSITORY_URL=https://PACKAGE_INDEX_HOST/path/to/repository
ARTIFACTORY_USERNAME=<username>
ARTIFACTORY_PASSWORD=<password-or-token>

Consumers install from the repository's /simple endpoint:

python -m pip install \
  --index-url "https://PACKAGE_INDEX_HOST/path/to/simple" \
  oci-secret-helper==0.1.17

Python Usage

Fetch by Vault OCID and secret name:

import oci_secret_helper

result = oci_secret_helper(
    vault_id="ocid1.vault.oc1.iad...",
    secret_name="app_config_secret",
)

Single-value secrets return a string:

password = oci_secret_helper(
    vault_id="ocid1.vault.oc1.iad...",
    secret_name="app_password_secret",
)

INI-style secrets with multiple values return a configparser.ConfigParser:

config = oci_secret_helper(
    vault_id="ocid1.vault.oc1.iad...",
    secret_name="app_config_secret",
)

token = config["default"]["api_token"]

Use load_secret_config() when you always want a ConfigParser, even for a plain string secret:

config = oci_secret_helper.load_secret_config(
    vault_id="ocid1.vault.oc1.iad...",
    secret_name="app_password_secret",
)

password = config["secret"]["value"]

If a single-line payload contains = and should be parsed as headerless key=value config, force that shape:

config = oci_secret_helper.load_secret_config(
    vault_id="ocid1.vault.oc1.iad...",
    secret_name="app_password_secret",
    secret_format="key_value",
)

password = config["secret"]["app_password"]

Bash Usage

Fetch a secret:

oci-secret-helper \
  --vault-id "ocid1.vault.oc1.iad..." \
  --secret-name "app_config_secret"

Show secret values:

oci-secret-helper \
  --vault-id "ocid1.vault.oc1.iad..." \
  --secret-name "app_password_secret" \
  --echo-secret-values

Plain string secrets are detected automatically, so stdout is just the secret value:

example-secret-value

INI or key=value payloads keep the config-shaped output. To force the exact Vault payload to stdout for any payload type, use --raw:

oci-secret-helper \
  --vault-id "ocid1.vault.oc1.iad..." \
  --secret-name "app_password_secret" \
  --raw

To force a headerless key=value payload to print as config-shaped output:

oci-secret-helper \
  --vault-id "ocid1.vault.oc1.iad..." \
  --secret-name "app_password_secret" \
  --echo-secret-values \
  --secret-format key-value

Without --echo-secret-values, the CLI redacts values. Use --raw or --echo-secret-values only in a protected shell because secrets can land in terminal scrollback or logs.

Secret Payloads

The Vault secret payload can be one of these shapes:

example-secret-value
app_password = example-secret-value
[default]
api_token = example-token
api_endpoint = example-endpoint

Plain string secrets are normalized to this shape when returned as a ConfigParser or printed by the CLI:

[secret]
value = example-secret-value

Secret values are treated literally. Characters such as % are preserved and are not interpreted as ConfigParser interpolation syntax.

In auto mode, a single-line secret with = but no whitespace around the separator, such as token== or abc=def, is treated as a raw string to avoid silently changing passwords or tokens. Use secret_format="key_value" in Python or --secret-format key-value in bash when an unspaced single-line payload should be parsed as headerless config.

Performance Notes

The helper sets OCI_PYTHON_SDK_NO_SERVICE_IMPORTS=1 before loading the OCI SDK and imports only the SDK objects needed for Vault reads:

  • oci.retry.NoneRetryStrategy
  • oci.auth.signers.InstancePrincipalsSecurityTokenSigner
  • oci.secrets.SecretsClient

This avoids Python 3.6 eager-loading every OCI service module during the first Vault fetch.

The helper also suppresses the known Python 3.6 cryptography deprecation warning emitted by OCI SDK imports in the test environment.

Maintainers

Build the wheel:

python -m pip wheel . --no-deps --no-build-isolation -w dist

Upload to a Python package index:

python -m twine upload \
  --repository-url "https://PACKAGE_INDEX_HOST/path/to/repository" \
  dist/oci_secret_helper-0.1.17-py3-none-any.whl

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

oci_secret_helper-0.1.17.tar.gz (11.0 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

oci_secret_helper-0.1.17-py3-none-any.whl (8.5 kB view details)

Uploaded Python 3

File details

Details for the file oci_secret_helper-0.1.17.tar.gz.

File metadata

  • Download URL: oci_secret_helper-0.1.17.tar.gz
  • Upload date:
  • Size: 11.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for oci_secret_helper-0.1.17.tar.gz
Algorithm Hash digest
SHA256 80ffd04b63d4a3318f472d9e2835804fcc0745c5379a8711bb1b889bebdb4544
MD5 a36726c3f0506522c18233836a826145
BLAKE2b-256 bee5dba86d2f03b5d1da353bac5cf95d767230a448f3a0f545307b98e4f13030

See more details on using hashes here.

Provenance

The following attestation bundles were made for oci_secret_helper-0.1.17.tar.gz:

Publisher: python-publish.yml on masondixon/oci-secret-helper

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file oci_secret_helper-0.1.17-py3-none-any.whl.

File metadata

File hashes

Hashes for oci_secret_helper-0.1.17-py3-none-any.whl
Algorithm Hash digest
SHA256 fa5c27eba5b0266a879a40144abdb982cb81107fd1906ab9c830880473200ff0
MD5 638a6b2b73ca17d1466be3672e602f38
BLAKE2b-256 17dd358bdaa5dbbdfc4d18549fa150c465e3e082a03f31e0eb37d01c189443f0

See more details on using hashes here.

Provenance

The following attestation bundles were made for oci_secret_helper-0.1.17-py3-none-any.whl:

Publisher: python-publish.yml on masondixon/oci-secret-helper

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page