Load OCI Vault secrets into in-memory runtime INI config.
Project description
OCI Secret Helper
Load a named OCI Vault secret from Python or bash using instance principals.
The normal consumer inputs are:
vault_id: OCI Vault OCIDsecret_name: name of the secret inside that Vault
See CHANGELOG.md for version history.
Install
Install from your package index:
python -m pip install \
--index-url "https://PACKAGE_INDEX_HOST/path/to/simple" \
oci-secret-helper==0.1.17
This package depends on oci>=2. The configured Artifactory index must host or
proxy the OCI Python SDK, or the SDK must already be installed in the target
environment.
This test-phase build supports Python 3.6 and newer. Before production, move
requires-python back to >=3.9 and publish a new version.
Release Build
GitLab CI builds the wheel from the version in pyproject.toml:
version = "0.1.17"
Merge request pipelines run tests and build the wheel once for validation. When the change lands on the default branch, the pipeline runs tests, builds the wheel, and promotes it to the configured Artifactory PyPI repository.
Increment pyproject.toml for every change that should publish a new package
version:
version = "0.1.18"
Artifactory rejects duplicate package versions, so the default-branch promote job expects the package version to be new.
Branch pipelines are suppressed when a merge request pipeline exists, so test and build do not run twice for the same commit.
The promote job requires these protected GitLab CI/CD variables:
ARTIFACTORY_PYPI_REPOSITORY_URL=https://PACKAGE_INDEX_HOST/path/to/repository
ARTIFACTORY_USERNAME=<username>
ARTIFACTORY_PASSWORD=<password-or-token>
Consumers install from the repository's /simple endpoint:
python -m pip install \
--index-url "https://PACKAGE_INDEX_HOST/path/to/simple" \
oci-secret-helper==0.1.17
Python Usage
Fetch by Vault OCID and secret name:
import oci_secret_helper
result = oci_secret_helper(
vault_id="ocid1.vault.oc1.iad...",
secret_name="app_config_secret",
)
Single-value secrets return a string:
password = oci_secret_helper(
vault_id="ocid1.vault.oc1.iad...",
secret_name="app_password_secret",
)
INI-style secrets with multiple values return a configparser.ConfigParser:
config = oci_secret_helper(
vault_id="ocid1.vault.oc1.iad...",
secret_name="app_config_secret",
)
token = config["default"]["api_token"]
Use load_secret_config() when you always want a ConfigParser, even for a
plain string secret:
config = oci_secret_helper.load_secret_config(
vault_id="ocid1.vault.oc1.iad...",
secret_name="app_password_secret",
)
password = config["secret"]["value"]
If a single-line payload contains = and should be parsed as headerless
key=value config, force that shape:
config = oci_secret_helper.load_secret_config(
vault_id="ocid1.vault.oc1.iad...",
secret_name="app_password_secret",
secret_format="key_value",
)
password = config["secret"]["app_password"]
Bash Usage
Fetch a secret:
oci-secret-helper \
--vault-id "ocid1.vault.oc1.iad..." \
--secret-name "app_config_secret"
Show secret values:
oci-secret-helper \
--vault-id "ocid1.vault.oc1.iad..." \
--secret-name "app_password_secret" \
--echo-secret-values
Plain string secrets are detected automatically, so stdout is just the secret value:
example-secret-value
INI or key=value payloads keep the config-shaped output. To force the exact
Vault payload to stdout for any payload type, use --raw:
oci-secret-helper \
--vault-id "ocid1.vault.oc1.iad..." \
--secret-name "app_password_secret" \
--raw
To force a headerless key=value payload to print as config-shaped output:
oci-secret-helper \
--vault-id "ocid1.vault.oc1.iad..." \
--secret-name "app_password_secret" \
--echo-secret-values \
--secret-format key-value
Without --echo-secret-values, the CLI redacts values. Use
--raw or --echo-secret-values only in a protected shell because secrets can
land in terminal scrollback or logs.
Secret Payloads
The Vault secret payload can be one of these shapes:
example-secret-value
app_password = example-secret-value
[default]
api_token = example-token
api_endpoint = example-endpoint
Plain string secrets are normalized to this shape when returned as a
ConfigParser or printed by the CLI:
[secret]
value = example-secret-value
Secret values are treated literally. Characters such as % are preserved and
are not interpreted as ConfigParser interpolation syntax.
In auto mode, a single-line secret with = but no whitespace around the
separator, such as token== or abc=def, is treated as a raw string to avoid
silently changing passwords or tokens. Use secret_format="key_value" in
Python or --secret-format key-value in bash when an unspaced single-line
payload should be parsed as headerless config.
Performance Notes
The helper sets OCI_PYTHON_SDK_NO_SERVICE_IMPORTS=1 before loading the OCI
SDK and imports only the SDK objects needed for Vault reads:
oci.retry.NoneRetryStrategyoci.auth.signers.InstancePrincipalsSecurityTokenSigneroci.secrets.SecretsClient
This avoids Python 3.6 eager-loading every OCI service module during the first Vault fetch.
The helper also suppresses the known Python 3.6 cryptography deprecation warning emitted by OCI SDK imports in the test environment.
Maintainers
Build the wheel:
python -m pip wheel . --no-deps --no-build-isolation -w dist
Upload to a Python package index:
python -m twine upload \
--repository-url "https://PACKAGE_INDEX_HOST/path/to/repository" \
dist/oci_secret_helper-0.1.17-py3-none-any.whl
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file oci_secret_helper-0.1.17.tar.gz.
File metadata
- Download URL: oci_secret_helper-0.1.17.tar.gz
- Upload date:
- Size: 11.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
80ffd04b63d4a3318f472d9e2835804fcc0745c5379a8711bb1b889bebdb4544
|
|
| MD5 |
a36726c3f0506522c18233836a826145
|
|
| BLAKE2b-256 |
bee5dba86d2f03b5d1da353bac5cf95d767230a448f3a0f545307b98e4f13030
|
Provenance
The following attestation bundles were made for oci_secret_helper-0.1.17.tar.gz:
Publisher:
python-publish.yml on masondixon/oci-secret-helper
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
oci_secret_helper-0.1.17.tar.gz -
Subject digest:
80ffd04b63d4a3318f472d9e2835804fcc0745c5379a8711bb1b889bebdb4544 - Sigstore transparency entry: 2014752660
- Sigstore integration time:
-
Permalink:
masondixon/oci-secret-helper@ab41fee95f2f5fa706df632b1b3dfa025469799d -
Branch / Tag:
refs/heads/main - Owner: https://github.com/masondixon
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
python-publish.yml@ab41fee95f2f5fa706df632b1b3dfa025469799d -
Trigger Event:
push
-
Statement type:
File details
Details for the file oci_secret_helper-0.1.17-py3-none-any.whl.
File metadata
- Download URL: oci_secret_helper-0.1.17-py3-none-any.whl
- Upload date:
- Size: 8.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
fa5c27eba5b0266a879a40144abdb982cb81107fd1906ab9c830880473200ff0
|
|
| MD5 |
638a6b2b73ca17d1466be3672e602f38
|
|
| BLAKE2b-256 |
17dd358bdaa5dbbdfc4d18549fa150c465e3e082a03f31e0eb37d01c189443f0
|
Provenance
The following attestation bundles were made for oci_secret_helper-0.1.17-py3-none-any.whl:
Publisher:
python-publish.yml on masondixon/oci-secret-helper
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
oci_secret_helper-0.1.17-py3-none-any.whl -
Subject digest:
fa5c27eba5b0266a879a40144abdb982cb81107fd1906ab9c830880473200ff0 - Sigstore transparency entry: 2014752861
- Sigstore integration time:
-
Permalink:
masondixon/oci-secret-helper@ab41fee95f2f5fa706df632b1b3dfa025469799d -
Branch / Tag:
refs/heads/main - Owner: https://github.com/masondixon
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
python-publish.yml@ab41fee95f2f5fa706df632b1b3dfa025469799d -
Trigger Event:
push
-
Statement type: