Skip to main content

secrets-helper

Project description

Latest Version Supported Python Versions Code style: black Documentation Status https://travis-ci.org/awslabs/secrets-helper.svg?branch=master https://ci.appveyor.com/api/projects/status/REPLACEME/branch/master?svg=true

secrets-helper helps you use credentials stored in AWS Secrets Manager with tools that accept credentials and other configuration through environment variables.

Getting Started

Required Prerequisites

  • Suported Python versions

    • 3.7

    • 3.8

Installation

$ pip install secrets-helper

Usage

How it works

To use secrets-helper, simply identify the ARN of your Secrets Manager secret, the command profile that you want to use, and the command that you want to run along with any desired arguments.

$ secrets-helper run \
    --secret arn:aws:secretsmanager:us-west-2:111222333444:secret:MyAwesomeSecret \
    --profile twine \
    --command "twine upload --skip-existing dist/*"

Value Injection

secrets-helper gets your credentials from Secrets Manager and injects them into the appropriate environment variables when it runs the command.

For example, if you were to have it run the env command to print out all of your environment variables, you would see:

$ secrets-helper run \
    --secret arn:aws:secretsmanager:us-west-2:111222333444:secret:MyAwesomeSecret \
    --profile twine \
    --command env
TWINE_USERNAME=my-awesome-username
TWINE_PASSWORD=my-secret-password
TWINE_REPOSITORY_URL=https://test.pypi.org/legacy/

Configuration

In order for secrets-helper to correctly load your credentials, your secret needs to be JSON-formatted with expected field names. It uses these names to map your secret values to the correct environment variables. This means you can use a single Secrets Manager secret to store multiple secret values.

You can either format your secret plaintext like this manually or you can create key-value pairs in your secret through the Secrets Manager console.

$ aws secretsmanager get-secret-value \
    --secret-id arn:aws:secretsmanager:us-west-2:111222333444:secret:MyAwesomeSecret
{
    "username": "my-awesome-username",
    "password": "my-secret-password",
    "url": "https://test.pypi.org/legacy/"
}

secrets-helper comes pre-loaded with some known environment variable mappings for common tools. You can use those as-is or you can provide an ini-style config file that defines a custom mapping.

$ secrets-helper run \
    --secret arn:aws:secretsmanager:us-west-2:111222333444:secret:MyAwesomeSecret \
    --config twine-config.cfg \
    --command "twine upload --skip-existing dist/*"

A mapping for twine might looks like this:

[secrets-helper.env]
username: TWINE_USERNAME
password: TWINE_PASSWORD
url: TWINE_REPOSITORY_URL

Additional Configuration

You can also define secret IDs and a command profile in the config file.

[secrets-helper.settings]
secrets:
    arn:aws:secretsmanager:us-west-2:111222333444:secret:MyAwesomeSecret
    arn:aws:secretsmanager:us-west-2:111222333444:secret:AnotherSecret
profile: twine

Multiple Secrets

You might need to load secret values from multiple Secrets Manager secrets. In this case, simply provide multiple --secret options!

$ secrets-helper run \
    --secret arn:aws:secretsmanager:us-west-2:111222333444:secret:MyAwesomeSecret \
    --secret arn:aws:secretsmanager:us-west-2:111222333444:secret:AnotherSecret \
    --profile twine \
    --command "twine upload --skip-existing dist/*"

Secrets as Command Line Parameters

Some commands need secret values to be passed in as command line parameters. If you need to do this, add a reference in your --command parameter using the {env:NAME} syntax to identify where you need environment variable values to be injected.

$ secrets-helper run \
    --secret arn:aws:secretsmanager:us-west-2:111222333444:secret:MyAwesomeSecret \
    --profile twine \
    --command "twine upload --skip-existing {env:DIST_DIRECTORY}"

Passing to env

In some advanced use cases, you might not be able to use the run operating mode. If you find yourself in this situation, you can use the env operating mode and make secrets-helper print out the resulting environment variable assignments in a format that the env command can understand.

$ secrets-helper env \
    --secret arn:aws:secretsmanager:us-west-2:111222333444:secret:MyAwesomeSecret \
    --profile twine

Development

Prerequisites

  • Required

    • Python 3.7+

    • tox : We use tox to drive all of our testing and package management behavior. Any tests that you want to run should be run using tox.

  • Optional

    • pyenv : If you want to test against multiple versions of Python and are on Linux or MacOS, we recommend using pyenv to manage your Python runtimes.

    • tox-pyenv : Plugin for tox that enables it to use pyenv runtimes.

    • detox : Parallel plugin for tox. Useful for running a lot of test environments quickly.

Setting up pyenv

If you are using pyenv, make sure that you have set up all desired runtimes and configured the environment before attempting to run any tests.

  1. Install all desired runtimes.

    • ex: pyenv install 3.7.0

    • NOTE: You can only install one runtime at a time with the pyenv install command.

  1. In the root of the checked out repository for this package, set the runtimes that pyenv should use.

    • ex: pyenv local 2.7.14 3.4.6 3.5.3 3.6.4 3.7.0

    • NOTE: This creates the .python-version file that pyenv will use. Pyenv treats the first version in that file as the default Python version.

Running tests

There are two criteria to consider when running our tests: what version of Python do you want to use and what type of tests do you want to run?

For a full listing of the available types of tests available, see the [testenv]commands section of the tox.ini file.

All tests should be run using tox. To do this, identify the test environment that you want tox to run using the -e ENV_NAME flag. The standard test environments are named as a combination of the Python version and the test type in the form VERSION-TYPE. For example, to run the local tests against CPython 3.7:

tox -e py37-local

If you want to provide custom parameters to pytest to manually identify what tests you want to run, use the manual test type. Any arguments you want to pass to pytest must follow the -- argument. Anything before that argument is passed to tox. Everything after that argument is passed to pytest.

tox -e py37-manual -- test/unit/test_example_file.py

Before submitting a pull request

Before submitting a pull request, please run the lint tox environment. This will ensure that your submission meets our code formatting requirements and will pass our continous integration code formatting tests.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

secrets-helper-0.1.0.tar.gz (36.2 kB view details)

Uploaded Source

Built Distribution

secrets_helper-0.1.0-py2.py3-none-any.whl (25.0 kB view details)

Uploaded Python 2 Python 3

File details

Details for the file secrets-helper-0.1.0.tar.gz.

File metadata

  • Download URL: secrets-helper-0.1.0.tar.gz
  • Upload date:
  • Size: 36.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.1.1 pkginfo/1.5.0.1 requests/2.22.0 setuptools/41.2.0 requests-toolbelt/0.9.1 tqdm/4.40.2 CPython/3.8.0

File hashes

Hashes for secrets-helper-0.1.0.tar.gz
Algorithm Hash digest
SHA256 cfc3bab843431152f41d0df3844e92ac6864d084d0e17a72cd160ea28610fb28
MD5 fd417f3bcff765c2fd2eb599334d1976
BLAKE2b-256 764f89b0813677509c369e216fe4bd14adde452a31d65e9d73b28f9917ed602f

See more details on using hashes here.

File details

Details for the file secrets_helper-0.1.0-py2.py3-none-any.whl.

File metadata

  • Download URL: secrets_helper-0.1.0-py2.py3-none-any.whl
  • Upload date:
  • Size: 25.0 kB
  • Tags: Python 2, Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.1.1 pkginfo/1.5.0.1 requests/2.22.0 setuptools/41.2.0 requests-toolbelt/0.9.1 tqdm/4.40.2 CPython/3.8.0

File hashes

Hashes for secrets_helper-0.1.0-py2.py3-none-any.whl
Algorithm Hash digest
SHA256 5dde7046bb8d753dd8451e42b69dc6e8b8535b4151326b6ac5940b6f86573936
MD5 ed32d7d1c8e8a26c6d80c8f805ed7131
BLAKE2b-256 3576315db8719e4dcada5dc98065ea4b1db10632dabead0c9df3f75ba8277540

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page