A simple extension to Pydantic BaseSettings that can retrieve secrets from Hashicorp Vault
Same as with the Pydantic
BaseSettings, create a class that inherits from
pydantic_vault.VaultBaseSettings, then define your fields and configure the settings with
import os from pydantic import SecretStr, Field from pydantic_vault import VaultBaseSettings class Settings(VaultBaseSettings): username: str = Field(..., vault_secret_path="path/to/secret", vault_secret_key="my_user") password: SecretStr = Field(..., vault_secret_path="path/to/secret", vault_secret_key="my_password") class Config: vault_url: str = "https://vault.tld" vault_token: SecretStr = os.environ["VAULT_TOKEN"] vault_namespace: str = "your/namespace" # Optional, pydantic-vault supports Vault namespaces (for Vault Enterprise) vault_secret_mount_point: str = "secrets" # Optional, if your KV v2 secrets engine is not available at the default "secret" mount point settings = Settings() # These variables will come from the Vault secret you configured settings.username settings.password.get_secret_value() # Now let's pretend we have already set the USERNAME in an environment variable # (see the Pydantic documentation for more information and to know how to configure it) # Its value will override the Vault secret os.environ["USERNAME"] = "my user" settings = Settings() settings.username # "my user", defined in the environment variable settings.password.get_secret_value() # the value set in Vault
Field additional parameters
You might have noticed that we import
Field directly from Pydantic. Pydantic-Vault doesn't add any custom logic to it, which means you can still use everything you know and love from Pydantic.
The additional parameters Pydantic-Vault uses are:
||Yes||The path to your secret in Vault|
||Yes||The key to use in the secret|
For example, if you create a secret
database/prod with a key
password and a value of
a secret password, you would use
password: SecretStr = Field(..., vault_secret_path="database/prod", vault_secret_key="password")
For now Pydantic-Vault only supports direct token authentication, that is you must authenticate using your method of choice then pass the resulting Vault token to your
Support is planned for Approle and Kubernetes authentication methods.
Settings.Config class you can configure the following elements:
||Yes||Your Vault URL|
||Yes||A token allowing to connect to Vault (retrieve it with any auth method you want)|
||No||Your Vault namespace (if you use one, requires Vault Enterprise)|
||No||The mount point of the KV v2 secrets engine, if different from the default
You can also configure everything available in the original Pydantic
Order of priority
Settings values are determined as follows (in descending order of priority):
- arguments passed to the
- environment variables
- Vault variables
- the default field values for the
It's the same order as with the original
BaseSettings, but with Vault just before the default values.
Pydantic-Vault is available under the MIT license.
Release history Release notifications | RSS feed
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Hashes for pydantic_vault-0.1.0a0-py3-none-any.whl