Put secrets from Vault to environment variables
Project description
Secrets.env 🔓
Put secrets from Vault KV engine to environment variables like a .env
loader, without not landing data on disk.
Security is important, but don't want it to be a stumbling block. We love secret manager, but the practice of getting secrets for local development could be dangerous- some of us put the sensitive data into a shell script and source it, which brings the risk of credential leaking.
This tool is built to plug in secrets into development without landing data on disk. Furthermore, we can safely commit the config file into CVS, for easily reproducing the environment, and reduce the risk of uploading the secrets to the server.
Usage
Note
Standard CLI usage is not implemented yet. Currently this app could only be used as a poetry plugin.
Get it from PyPI:
# add as poetry global plugin
poetry self add secrets.env -E yaml
# add to local project
poetry add --group=dev secrets.env -E toml
Folowing extras avaliable:
yaml
: supporting YAML configtoml
: supporting TOML config, includespyproject.toml
If none of them are selected, this app only supports the config in JSON format.
With poetry
You can use this package as a poetry plugin, then this app will pull the secrets from vault on poetry command run
and shell
.
# 1. install plugin
poetry add --group=dev secrets.env -E yaml
# 2. setup config
# read configuration section below for details
export SECRETS_ENV_ADDR='https://example.com'
export SECRETS_ENV_METHOD='token'
export SECRETS_ENV_TOKEN='example-token'
echo 'secrets:' > .secrets-env.yaml
echo ' FOO=secrets/default#example' > .secrets-env.yaml
# 3. run
poetry run sh -c 'echo $FOO'
Configure
Configuration file
This app searches for the file that matches following names in the current working directory and parent folders, and load the config from it. When there are more than one exists, the first one would be selected according to the order here:
.secrets-env.toml
[^1].secrets-env.yaml
[^2].secrets-env.yml
[^2].secrets-env.json
pyproject.toml
[^1]
[^1]: TOML format is only supported when either tomllib or tomli is installed. [^2]: YAML format is only supported when PyYAML is installed.
An example config in YAML format:
# `source` configured the connection info to vault.
# All values in this section could be overwritten by environment variable, so
# it is possible to run secrets.env app without this section.
source:
# Address to vault
# Could be replaced using environment variable `SECRETS_ENV_ADDR` or `VAULT_ADDR`
url: https://example.com/
# Authentication info
# Schema for authentication could be complex, read section below.
auth:
method: okta
username: user@example.com
# Transport layer security (TLS) configurations.
# All keys under this section are optional.
tls:
# Server side certificate for verifying responses.
ca_cert: /path/ca.cert
# Client side certificate for communicating with vault server.
client_cert: /path/client.cert
client_key: /path/client.key
# `secrets` lists the environment variable name, and the path the get the secret value
secrets:
# The key (VAR1) is the environment variable name to install the secret
VAR1:
# Path to read secret from vault
path: kv/default
# Path to identify which value to extract, as we may have multiple values in
# single secret in KV engine.
# For nested structure, join the keys with dots.
key: example.to.value
# Syntax sugar: path#key
VAR2: "kv/default#example.to.value"
For most supported file format, they shared the same schema to this example. The only different is
pyproject.toml
format- each section must placed undertool.secrets-env
section. Visit example folder to read the equivalent expression in each format.
Authentication
Vault enforce authentication during requests, so we must provide the identity in order to get the secrets.
Method
Secrets.env adapts several authentication methods. You must specify the method by either config file or the environment variable SECRETS_ENV_METHOD
. Here's the format in config file:
---
# standard layout
# arguments could be included in `auth:`
source:
auth:
method: okta
username: user@example.com
---
# alternative layout
# arguments must be avaliable in other source
source:
auth: token
Arguments
Auth data could be provided by various source, including:
-
Config file: Place the config value under
auth
section, use the key provided in the table. -
Environment variable: In most cases, environment variable could be used to overwrite the values from config file.
-
Keyring: We're using keyring package to read the values from system keyring (e.g. macOS Keychain). For saving a value into keyring, use its command line utility with the system name
secrets.env
:keyring get secrets.env token/:token keyring set secrets.env okta/test@example.com
-
Prompt: If no data found in all other sources, it prompts user for input. Prompt is only enabled when optional dependency click is installed, and you can disable it by setting environment variable
SECRETS_ENV_NO_PROMPT=True
.
Supported methods
Here's the argument(s), their accepted source, and corresponding keys.
method: token
key | config file | environment variable | keyring | helper |
---|---|---|---|---|
token | ⛔️ | SECRETS_ENV_TOKEN , VAULT_TOKEN |
token/:token |
✅ |
Token helper: Vault CLI stores the generated token in the ~/.vault-token
file after authenticated. This app reads the token from that file, but it do not create one on authenticating using this app.
To use the helper, you can use command vault login
to create one.
method: okta
key | config file | environment variable | keyring | prompt |
---|---|---|---|---|
username | username |
SECRETS_ENV_USERNAME |
okta/:username |
✅ |
password | ⛔️ | SECRETS_ENV_PASSWORD |
okta/YOUR_USER_NAME |
✅ |
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distributions
Built Distribution
Hashes for secrets_env-0.8.0-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 72794aace7cd7a9a18408f38b4c99d617eb491509703449f0a79d703f4df1487 |
|
MD5 | 5a4f00c83513b865d6aed5579adaeb5e |
|
BLAKE2b-256 | d040079851ea6eb1e83288c07004b0971996976fcef632afb0a328e7cca8a287 |