Skip to main content

Qubership EnvGene CLI that provisions external credentials into Vault, OpenBao, GCP Secret Manager, and AWS Secrets Manager from a YAML context file.

Project description

qubership-external-cred-provision

Command-line tool for EnvGene that provisions external credentials into secret stores from a declarative YAML context file.

EnvGene generates the context during Effective Set calculation. This CLI reads that file, connects to the configured stores, and creates or verifies secrets according to each entry's strategy. It supports dry-run mode for CI validation without writes.

Features

  • Provisions credentials into HashiCorp Vault, OpenBao, Google Cloud Secret Manager, and AWS Secrets Manager
  • Idempotent strategies: verify presence, create when absent, or overwrite
  • Generates secret values when a field is marked with the reserved _generateValue marker
  • Dry-run mode for pre-flight checks before apply
  • Structured logging to console and log files

Requirements

  • Python 3.12
  • Network access to the target secret stores
  • Store authentication via process environment variables (see configuration)
  • Runtime dependency on qubership-pipelines-common-library for secret-store integration

Installation

pip install qubership-external-cred-provision

The installed command is external-cred-provision (shorter than the PyPI package name).

Quick start

Apply provisioning from a context file:

external-cred-provision path/to/external-credentials.yaml

Validate without writing to any store:

external-cred-provision --dry-run path/to/external-credentials.yaml

Set console log verbosity (full diagnostic log is always written to full.log):

external-cred-provision --log-level INFO path/to/external-credentials.yaml

Command-line options

Flag Default Meaning
--dry-run off Run checks only; no writes to secret stores
--log-level DEBUG Console and module.log verbosity

Positional argument <context-path> is required. It must point to a YAML file that defines a top-level credentials map.

Supported secret stores

Store type is inferred from each credential's VALS reference scheme:

VALS scheme prefix Store
ref+vault:// HashiCorp Vault
ref+openbao:// OpenBao
ref+gcpsecrets:// Google Cloud Secret Manager
ref+awssecrets:// AWS Secrets Manager

Provisioning strategies

Strategy Secret exists Secret absent
fail_if_absent skip fail
create_if_absent skip create
overwrite overwrite create

Entries with fail_if_absent omit data because the CLI performs no write. Write strategies require a data field (map or scalar, depending on the store).

Minimal context example

credentials:
  app-cred:
    vals: "ref+vault://kv/path/to/app-cred"
    strategy: create_if_absent
    data:
      username: app_user
      password: _generateValue

  monitoring-token:
    vals: "ref+vault://kv/path/to/monitoring-token"
    strategy: fail_if_absent

Configuration

Authentication and store settings are read from environment variables. Variable names depend on store type and optional secret_store_id query parameters in each VALS reference.

See the External Credentials provisioning CLI reference for the full variable list, input schema, value-generation rules, and runtime behaviour.

Broader EnvGene external-credentials design (context generation, Effective Set integration):

External Credentials Management

License

Apache License 2.0. See the LICENSE file in the EnvGene repository.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

qubership_external_cred_provision-1.0.0.tar.gz (6.5 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

File details

Details for the file qubership_external_cred_provision-1.0.0.tar.gz.

File metadata

File hashes

Hashes for qubership_external_cred_provision-1.0.0.tar.gz
Algorithm Hash digest
SHA256 7320b9535c286ca830395c784ad33852a1e16e69be12add6e341484ba829b308
MD5 2f09f87a1ac41fc85391c862b383c31a
BLAKE2b-256 d56148ac7e5a90d2fee95fc6036b6f49640d21bfd39b22671f4e36d49073c187

See more details on using hashes here.

File details

Details for the file qubership_external_cred_provision-1.0.0-py3-none-any.whl.

File metadata

File hashes

Hashes for qubership_external_cred_provision-1.0.0-py3-none-any.whl
Algorithm Hash digest
SHA256 2d1796934694895710d30f5fc1fd406c221542a2957f8bf448e33ce86f4620db
MD5 c4a59522574cdd632e21cd43999dc264
BLAKE2b-256 fa1b3de7d4e81ed9e828e3c90569bf1e67d9d08d8e9c011b91fe880f5803d877

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page