Skip to main content

A simple extension to Pydantic BaseSettings that can retrieve secrets from Hashicorp Vault

Project description


Check code

A simple extension to Pydantic BaseSettings that can retrieve secrets from a KV v2 secrets engine in Hashicorp Vault

Getting started

Same as with the Pydantic BaseSettings, create a class that inherits from pydantic_vault.VaultBaseSettings, then define your fields and configure the settings with

import os

from pydantic import SecretStr, Field
from pydantic_vault import VaultBaseSettings

class Settings(VaultBaseSettings):
    username: str = Field(..., vault_secret_path="path/to/secret", vault_secret_key="my_user")
    password: SecretStr = Field(..., vault_secret_path="path/to/secret", vault_secret_key="my_password")

    class Config:
        vault_url: str = "https://vault.tld"
        vault_token: SecretStr = os.environ["VAULT_TOKEN"]
        vault_namespace: str = "your/namespace"  # Optional, pydantic-vault supports Vault namespaces (for Vault Enterprise)
        vault_secret_mount_point: str = "secrets"  # Optional, if your KV v2 secrets engine is not available at the default "secret" mount point

settings = Settings()
# These variables will come from the Vault secret you configured

# Now let's pretend we have already set the USERNAME in an environment variable
# (see the Pydantic documentation for more information and to know how to configure it)
# Its value will override the Vault secret
os.environ["USERNAME"] = "my user"

settings = Settings()
settings.username  # "my user", defined in the environment variable
settings.password.get_secret_value()  # the value set in Vault


Field additional parameters

You might have noticed that we import Field directly from Pydantic. Pydantic-Vault doesn't add any custom logic to it, which means you can still use everything you know and love from Pydantic.

The additional parameters Pydantic-Vault uses are:

Parameter name Required Description
vault_secret_path Yes The path to your secret in Vault
vault_secret_key Yes The key to use in the secret

For example, if you create a secret database/prod with a key password and a value of a secret password, you would use

password: SecretStr = Field(..., vault_secret_path="database/prod", vault_secret_key="password")


For now Pydantic-Vault only supports direct token authentication, that is you must authenticate using your method of choice then pass the resulting Vault token to your Settings class.

Support is planned for Approle and Kubernetes authentication methods.


In your Settings.Config class you can configure the following elements:

Settings name Required Description
vault_url Yes Your Vault URL
vault_token Yes A token allowing to connect to Vault (retrieve it with any auth method you want)
vault_namespace No Your Vault namespace (if you use one, requires Vault Enterprise)
vault_secret_mount_point No The mount point of the KV v2 secrets engine, if different from the default "secret" mount point

You can also configure everything available in the original Pydantic BaseSettings class.

Order of priority

Settings values are determined as follows (in descending order of priority):

  • arguments passed to the Settings class initializer
  • environment variables
  • Vault variables
  • the default field values for the Settings model

It's the same order as with the original BaseSettings, but with Vault just before the default values.


Pydantic-Vault is available under the MIT license.

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

pydantic-vault-0.1.0a0.tar.gz (5.0 kB view hashes)

Uploaded source

Built Distribution

pydantic_vault-0.1.0a0-py3-none-any.whl (5.1 kB view hashes)

Uploaded py3

Supported by

AWS AWS Cloud computing Datadog Datadog Monitoring Facebook / Instagram Facebook / Instagram PSF Sponsor Fastly Fastly CDN Google Google Object Storage and Download Analytics Huawei Huawei PSF Sponsor Microsoft Microsoft PSF Sponsor NVIDIA NVIDIA PSF Sponsor Pingdom Pingdom Monitoring Salesforce Salesforce PSF Sponsor Sentry Sentry Error logging StatusPage StatusPage Status page