Skip to main content

Qubership EnvGene CLI that provisions external credentials into Vault, OpenBao, GCP Secret Manager, and AWS Secrets Manager from a YAML context file.

Project description

qubership-external-cred-provision

Command-line tool for EnvGene that provisions external credentials into secret stores from a declarative YAML context file.

EnvGene generates the context during Effective Set calculation. This CLI reads that file, connects to the configured stores, and creates or verifies secrets according to each entry's strategy. It supports dry-run mode for CI validation without writes.

Features

  • Provisions credentials into HashiCorp Vault, OpenBao, Google Cloud Secret Manager, and AWS Secrets Manager
  • Idempotent strategies: verify presence, create when absent, or overwrite
  • Generates secret values when a field is marked with the reserved _generateValue marker
  • Dry-run mode for pre-flight checks before apply
  • Structured logging to console and log files

Requirements

  • Python 3.12
  • Network access to the target secret stores
  • Store authentication via process environment variables (see configuration)
  • Runtime dependency on qubership-pipelines-common-library for secret-store integration

Installation

pip install qubership-external-cred-provision

The installed command is external-cred-provision (shorter than the PyPI package name).

Quick start

Apply provisioning from a context file:

external-cred-provision path/to/external-credentials.yaml

Validate without writing to any store:

external-cred-provision --dry-run path/to/external-credentials.yaml

Set console log verbosity (full diagnostic log is always written to full.log):

external-cred-provision --log-level INFO path/to/external-credentials.yaml

Command-line options

Flag Default Meaning
--dry-run off Run checks only; no writes to secret stores
--log-level DEBUG Console and module.log verbosity

Positional argument <context-path> is required. It must point to a YAML file that defines a top-level credentials map.

Supported secret stores

Store type is inferred from each credential's VALS reference scheme:

VALS scheme prefix Store
ref+vault:// HashiCorp Vault
ref+openbao:// OpenBao
ref+gcpsecrets:// Google Cloud Secret Manager
ref+awssecrets:// AWS Secrets Manager

Provisioning strategies

Strategy Secret exists Secret absent
fail_if_absent skip fail
create_if_absent skip create
overwrite overwrite create

Entries with fail_if_absent omit data because the CLI performs no write. Write strategies require a data field (map or scalar, depending on the store).

Minimal context example

credentials:
  app-cred:
    vals: "ref+vault://kv/path/to/app-cred"
    strategy: create_if_absent
    data:
      username: app_user
      password: _generateValue

  monitoring-token:
    vals: "ref+vault://kv/path/to/monitoring-token"
    strategy: fail_if_absent

Configuration

Authentication and store settings are read from environment variables. Variable names depend on store type and optional secret_store_id query parameters in each VALS reference.

See the External Credentials provisioning CLI reference for the full variable list, input schema, value-generation rules, and runtime behaviour.

Broader EnvGene external-credentials design (context generation, Effective Set integration):

External Credentials Management

License

Apache License 2.0. See the LICENSE file in the EnvGene repository.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

qubership_external_cred_provision-1.0.1.tar.gz (6.6 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

File details

Details for the file qubership_external_cred_provision-1.0.1.tar.gz.

File metadata

File hashes

Hashes for qubership_external_cred_provision-1.0.1.tar.gz
Algorithm Hash digest
SHA256 36b599a44827d85c9e680b6fed242694912be1a08b252176be18409a946a269a
MD5 454f697db29650d42c4a156b8b0b4a08
BLAKE2b-256 4f413ad99441847f39d22f80b31deee3c5a926cbb014a66b3acb0866a14a5e00

See more details on using hashes here.

File details

Details for the file qubership_external_cred_provision-1.0.1-py3-none-any.whl.

File metadata

File hashes

Hashes for qubership_external_cred_provision-1.0.1-py3-none-any.whl
Algorithm Hash digest
SHA256 6436b9709f169e28f0e6837d7f1b9abf50f1d5774eed17dd9ef0548f21db5747
MD5 b5840802f6a16091297c5188eeae3a8c
BLAKE2b-256 5a8463d3dd3c67bcd340b03e151e89a1140763bab66b9f8f4005c9ffc9fedb04

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page