Flexible Secret Loader to load secrets from any source with a simple API!
Project description
Secret-Loader
Flexible Secret Loader
- Unified interface for different secret backends
- Easy to add new backends
- Easily configure precendence of loaders/backends
- Use the same precedence in bash scripts and your application
Why?
The intent is to have a single interface to access secrets no matter which secret backend is used. Personally I faced the following setup in several projects:
- Production/Staging Systems on AWS with secrets stored in AWS SecretsManager
- Local/Dev Setup with "secrets" stored in .env file or environment variables
This project aims to work just the same no matter which scenario you are using. It should first check the environment variables, then the next configured loader and so on until a valid secret by the given name is found and returned.
Additionally there is a cli because sometimes you want to retrieve secrets before your application runs (e.g. connecting to a database inside a docker entrypoint script). This way you get the same behaviour for both your application and other scripts.
Default Precedence/Priority of Loaders
The following locations will be probed for an existing value with the name secret_name
in this order:
- Environment Variables
- A
.env
file - AWS SecretsManager (using boto3 search order to search for valid aws credentials)
How to install
python -m pip install secret_loader
How to use the secrets_loader
Basic/Out-of-the-box usage
from secrets_loader import secret
api_token = secret("SOME_API_TOKEN")
# Make some use of the token ...
Add a custom loader
from secret_loader import secret
from secret_loader.exceptions import SecretNotFoundError
from secret_loader.base import BaseLoader
class MyCustomLoader(BaseLoader):
def load(self, secret_name, **kwargs):
# Do something to get the secret_value
secret_value = "some-very-important-secret"
if not secret_value:
# This is necessary/expected to indicate that the secret was not found
raise SecretNotFoundError(f"MyCustomLoader cloud not load {secret_name}")
return secret_value
secret.register(MyCustomLoader, priority=100)
important_secret = secret("my_secret_name")
How to run the secrets_loader from the Command Line
python -m secret_loader --help
usage: secret_loader [-h] [--name NAME] [--fail] [--loader {EnvLoader,EnvFileLoader,AWSSecretsLoader}] [--custom_loader CUSTOM_LOADER] [--priority PRIORITY] [--remove_loaders] [--list_loaders] [--debug]
Secret-Loader
A unified way to laod secrets from different sources.
The secrets-loader will try to load a secret from a list of places:
1. the current Environment
2. a local .env file
3. AWS SecretsManager
The result is printed to standard out, so besure to use this wisely.
optional arguments:
-h, --help show this help message and exit
--name NAME, -n NAME Name of Secret to Load
--fail Fail if Secret is not Found
--loader {EnvLoader,EnvFileLoader,AWSSecretsLoader}
Specify a Loader to use
--custom_loader CUSTOM_LOADER
Use custom Loader, specified as an importable string e.g., 'some.module.CustomLoader'
--priority PRIORITY, -p PRIORITY
Specify a specific priority level for a selected or custom loader
--remove_loaders Remove pre-registered Loaders
--list_loaders, -l List all currently available loaders
--debug, -d Print Debug Messages
Version 0.5 - June 2020 - Moritz Eilfort - src: github.com/JimFawkes/secret-loader
License GPLv3+ - Copyright 2020 Moritz Eilfort
Examples for CLI Usage
How to run the tests
pytest
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for secret_loader-0.6-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 4c521a175c1ae01692e7a9c5cedb815019393784c994f0eb4d07a537f8705ffd |
|
MD5 | 37b33e0f9eb9da9ac6a6f92b1341658c |
|
BLAKE2b-256 | 97b9a5ed8eba5431ab94db38bc40647d84794a3dfca35950c3d6db12a85d966b |