Qubership EnvGene CLI that provisions external credentials into Vault, OpenBao, GCP Secret Manager, and AWS Secrets Manager from a YAML context file.
Project description
qubership-external-cred-provision
Command-line tool for EnvGene that provisions external credentials into secret stores from a declarative YAML context file.
EnvGene generates the context during Effective Set calculation. This CLI reads that file, connects to the configured stores, and creates or verifies secrets according to each entry's strategy. It supports dry-run mode for CI validation without writes.
Features
- Provisions credentials into HashiCorp Vault, OpenBao, Google Cloud Secret Manager, and AWS Secrets Manager
- Idempotent strategies: verify presence, create when absent, or overwrite
- Generates secret values when a field is marked with the reserved
_generateValuemarker - Dry-run mode for pre-flight checks before apply
- Structured logging to console and log files
Requirements
- Python 3.12
- Network access to the target secret stores
- Store authentication via process environment variables (see configuration)
- Runtime dependency on
qubership-pipelines-common-libraryfor secret-store integration
Installation
pip install qubership-external-cred-provision
The installed command is external-cred-provision (shorter than the PyPI package name).
Quick start
Apply provisioning from a context file:
external-cred-provision path/to/external-credentials.yaml
Validate without writing to any store:
external-cred-provision --dry-run path/to/external-credentials.yaml
Set console log verbosity (full diagnostic log is always written to full.log):
external-cred-provision --log-level INFO path/to/external-credentials.yaml
Command-line options
| Flag | Default | Meaning |
|---|---|---|
--dry-run |
off | Run checks only; no writes to secret stores |
--log-level |
DEBUG | Console and module.log verbosity |
Positional argument <context-path> is required. It must point to a YAML file that defines a
top-level credentials map.
Supported secret stores
Store type is inferred from each credential's VALS reference scheme:
| VALS scheme prefix | Store |
|---|---|
ref+vault:// |
HashiCorp Vault |
ref+openbao:// |
OpenBao |
ref+gcpsecrets:// |
Google Cloud Secret Manager |
ref+awssecrets:// |
AWS Secrets Manager |
Provisioning strategies
| Strategy | Secret exists | Secret absent |
|---|---|---|
fail_if_absent |
skip | fail |
create_if_absent |
skip | create |
overwrite |
overwrite | create |
Entries with fail_if_absent omit data because the CLI performs no write. Write strategies
require a data field (map or scalar, depending on the store).
Minimal context example
credentials:
app-cred:
vals: "ref+vault://kv/path/to/app-cred"
strategy: create_if_absent
data:
username: app_user
password: _generateValue
monitoring-token:
vals: "ref+vault://kv/path/to/monitoring-token"
strategy: fail_if_absent
Configuration
Authentication and store settings are read from environment variables. Variable names depend on
store type and optional secret_store_id query parameters in each VALS reference.
See the External Credentials provisioning CLI reference for the full variable list, input schema, value-generation rules, and runtime behaviour.
Broader EnvGene external-credentials design (context generation, Effective Set integration):
External Credentials Management
License
Apache License 2.0. See the LICENSE file in the EnvGene repository.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file qubership_external_cred_provision-1.0.1.tar.gz.
File metadata
- Download URL: qubership_external_cred_provision-1.0.1.tar.gz
- Upload date:
- Size: 6.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/2.1.3 CPython/3.12.13 Linux/6.17.0-1018-azure
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
36b599a44827d85c9e680b6fed242694912be1a08b252176be18409a946a269a
|
|
| MD5 |
454f697db29650d42c4a156b8b0b4a08
|
|
| BLAKE2b-256 |
4f413ad99441847f39d22f80b31deee3c5a926cbb014a66b3acb0866a14a5e00
|
File details
Details for the file qubership_external_cred_provision-1.0.1-py3-none-any.whl.
File metadata
- Download URL: qubership_external_cred_provision-1.0.1-py3-none-any.whl
- Upload date:
- Size: 7.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/2.1.3 CPython/3.12.13 Linux/6.17.0-1018-azure
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
6436b9709f169e28f0e6837d7f1b9abf50f1d5774eed17dd9ef0548f21db5747
|
|
| MD5 |
b5840802f6a16091297c5188eeae3a8c
|
|
| BLAKE2b-256 |
5a8463d3dd3c67bcd340b03e151e89a1140763bab66b9f8f4005c9ffc9fedb04
|