A simple extension to Pydantic BaseSettings that can retrieve secrets from Hashicorp Vault
Project description
Pydantic-Vault
A simple extension to Pydantic BaseSettings that can retrieve secrets from a KV v2 secrets engine in Hashicorp Vault
Getting started
Same as with the Pydantic BaseSettings, create a class that inherits from pydantic_vault.VaultBaseSettings, then define your fields and configure the settings with
import os
from pydantic import SecretStr, Field
from pydantic_vault import VaultBaseSettings
class Settings(VaultBaseSettings):
username: str = Field(..., vault_secret_path="path/to/secret", vault_secret_key="my_user")
password: SecretStr = Field(..., vault_secret_path="path/to/secret", vault_secret_key="my_password")
class Config:
vault_url: str = "https://vault.tld"
vault_token: SecretStr = os.environ["VAULT_TOKEN"]
vault_namespace: str = "your/namespace" # Optional, pydantic-vault supports Vault namespaces (for Vault Enterprise)
vault_secret_mount_point: str = "secrets" # Optional, if your KV v2 secrets engine is not available at the default "secret" mount point
settings = Settings()
# These variables will come from the Vault secret you configured
settings.username
settings.password.get_secret_value()
# Now let's pretend we have already set the USERNAME in an environment variable
# (see the Pydantic documentation for more information and to know how to configure it)
# Its value will override the Vault secret
os.environ["USERNAME"] = "my user"
settings = Settings()
settings.username # "my user", defined in the environment variable
settings.password.get_secret_value() # the value set in Vault
Documentation
Field additional parameters
You might have noticed that we import Field directly from Pydantic. Pydantic-Vault doesn't add any custom logic to it, which means you can still use everything you know and love from Pydantic.
The additional parameters Pydantic-Vault uses are:
| Parameter name | Required | Description |
|---|---|---|
vault_secret_path |
Yes | The path to your secret in Vault |
vault_secret_key |
Yes | The key to use in the secret |
For example, if you create a secret database/prod with a key password and a value of a secret password, you would use
password: SecretStr = Field(..., vault_secret_path="database/prod", vault_secret_key="password")
Authentication
For now Pydantic-Vault only supports direct token authentication, that is you must authenticate using your method of choice then pass the resulting Vault token to your Settings class.
Support is planned for Approle and Kubernetes authentication methods.
Configuration
In your Settings.Config class you can configure the following elements:
| Settings name | Required | Description |
|---|---|---|
vault_url |
Yes | Your Vault URL |
vault_token |
Yes | A token allowing to connect to Vault (retrieve it with any auth method you want) |
vault_namespace |
No | Your Vault namespace (if you use one, requires Vault Enterprise) |
vault_secret_mount_point |
No | The mount point of the KV v2 secrets engine, if different from the default "secret" mount point |
You can also configure everything available in the original Pydantic BaseSettings class.
Order of priority
Settings values are determined as follows (in descending order of priority):
- arguments passed to the
Settingsclass initializer - environment variables
- Vault variables
- the default field values for the
Settingsmodel
It's the same order as with the original BaseSettings, but with Vault just before the default values.
License
Pydantic-Vault is available under the MIT license.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for pydantic_vault-0.1.0a0-py3-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 03599ceae1d22dfd1d8fc4a1679aaa725760e931982450f400ed10e3216b7c5b |
|
| MD5 | e306ae4c27f752ed5832f9ab62bea77b |
|
| BLAKE2b-256 | c08e852ce4997c10414b8255f159a5be283bcc62819701559bbf6bef7b636042 |
