Declarative secrets, every environment, any provider (Python SDK)
Project description
secretspec (Python SDK)
Python bindings for SecretSpec, a declarative secrets
manager. This package is a thin client over a pyo3 extension that calls
secretspec::resolve_json directly: resolution (providers, chains, profiles,
generation, as_path) happens in the Rust core, so the SDK inherits every
provider with no Python-side logic.
from secretspec import SecretSpec
resolved = (
SecretSpec.builder()
.with_provider("keyring://")
.with_profile("production")
.with_reason("boot web app")
.load()
)
print(resolved.provider, resolved.profile)
db = resolved.secrets["DATABASE_URL"]
print(db.get) # the value, or the file path for as_path secrets
resolved.set_as_env() # export everything into os.environ
A missing required secret raises MissingRequiredError; any other failure
raises SecretSpecError (with a stable .kind).
Cleanup
as_path secrets are materialized to temp files that outlive the call. Use the
result as a context manager (with SecretSpec.builder()...load() as resolved:)
or call resolved.close() when done so the secret files do not accumulate.
Value-free report
report() returns the inventory/preflight view: per-secret status and
provenance, never a value. Unlike load(), it does not raise when a required
secret is missing — it appears as a SecretReport with status
"missing_required".
report = SecretSpec.builder().with_profile("production").report()
for s in report.secrets:
print(s.name, s.status, s.required)
Native library
The Rust resolver is statically linked into a compiled pyo3 extension
(secretspec._native, built from the secretspec-py-native crate) inside the
installed wheel, so there is nothing to locate at runtime. The prebuilt abi3
wheels are self-contained (pip install secretspec). From a source checkout
the extension is built on demand by the test harness via maturin develop,
which needs maturin and a Rust toolchain on PATH.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distributions
Built Distributions
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file secretspec-0.13.0-cp39-abi3-manylinux_2_28_x86_64.whl.
File metadata
- Download URL: secretspec-0.13.0-cp39-abi3-manylinux_2_28_x86_64.whl
- Upload date:
- Size: 14.5 MB
- Tags: CPython 3.9+, manylinux: glibc 2.28+ x86-64
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
81e92bd7d84d5b292aaacdbd6a2b2fc978631b9651463f892d5ec78717ef4a38
|
|
| MD5 |
491792ce7875ccf1933be9e8eb82583c
|
|
| BLAKE2b-256 |
1337c48c989eeb744aec28554e33075e8c6f8b2d8c94d16e033e1716be624f4d
|
Provenance
The following attestation bundles were made for secretspec-0.13.0-cp39-abi3-manylinux_2_28_x86_64.whl:
Publisher:
python-wheels.yml on cachix/secretspec
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
secretspec-0.13.0-cp39-abi3-manylinux_2_28_x86_64.whl -
Subject digest:
81e92bd7d84d5b292aaacdbd6a2b2fc978631b9651463f892d5ec78717ef4a38 - Sigstore transparency entry: 2064327453
- Sigstore integration time:
-
Permalink:
cachix/secretspec@c1d2d6a0e0e8ebaf286453d84d4ca54e67fe16ee -
Branch / Tag:
refs/tags/v0.13.0 - Owner: https://github.com/cachix
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
python-wheels.yml@c1d2d6a0e0e8ebaf286453d84d4ca54e67fe16ee -
Trigger Event:
push
-
Statement type:
File details
Details for the file secretspec-0.13.0-cp39-abi3-manylinux_2_28_aarch64.whl.
File metadata
- Download URL: secretspec-0.13.0-cp39-abi3-manylinux_2_28_aarch64.whl
- Upload date:
- Size: 14.2 MB
- Tags: CPython 3.9+, manylinux: glibc 2.28+ ARM64
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
42835331adb7e15cec8ea88fcda294fc1a980ec20a219025a8e4f20923463268
|
|
| MD5 |
122691449ebabfbff3cc042be4f751c1
|
|
| BLAKE2b-256 |
a4645a72c8e950a686f19e19f15ef532ef9230e58943c37e72133380df3edc69
|
Provenance
The following attestation bundles were made for secretspec-0.13.0-cp39-abi3-manylinux_2_28_aarch64.whl:
Publisher:
python-wheels.yml on cachix/secretspec
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
secretspec-0.13.0-cp39-abi3-manylinux_2_28_aarch64.whl -
Subject digest:
42835331adb7e15cec8ea88fcda294fc1a980ec20a219025a8e4f20923463268 - Sigstore transparency entry: 2064327410
- Sigstore integration time:
-
Permalink:
cachix/secretspec@c1d2d6a0e0e8ebaf286453d84d4ca54e67fe16ee -
Branch / Tag:
refs/tags/v0.13.0 - Owner: https://github.com/cachix
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
python-wheels.yml@c1d2d6a0e0e8ebaf286453d84d4ca54e67fe16ee -
Trigger Event:
push
-
Statement type:
File details
Details for the file secretspec-0.13.0-cp39-abi3-macosx_11_0_arm64.whl.
File metadata
- Download URL: secretspec-0.13.0-cp39-abi3-macosx_11_0_arm64.whl
- Upload date:
- Size: 10.7 MB
- Tags: CPython 3.9+, macOS 11.0+ ARM64
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
296e3d2474209cb780db8d708301caaefb38d03ea23bf2775f589b18fb2bff02
|
|
| MD5 |
51576bfd1bd88e0450a21a606c77aff8
|
|
| BLAKE2b-256 |
8cc0f1f25cab3a9c77ba69cb7910f59af1075691570cb7a385092e46a8d83b22
|
Provenance
The following attestation bundles were made for secretspec-0.13.0-cp39-abi3-macosx_11_0_arm64.whl:
Publisher:
python-wheels.yml on cachix/secretspec
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
secretspec-0.13.0-cp39-abi3-macosx_11_0_arm64.whl -
Subject digest:
296e3d2474209cb780db8d708301caaefb38d03ea23bf2775f589b18fb2bff02 - Sigstore transparency entry: 2064327380
- Sigstore integration time:
-
Permalink:
cachix/secretspec@c1d2d6a0e0e8ebaf286453d84d4ca54e67fe16ee -
Branch / Tag:
refs/tags/v0.13.0 - Owner: https://github.com/cachix
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
python-wheels.yml@c1d2d6a0e0e8ebaf286453d84d4ca54e67fe16ee -
Trigger Event:
push
-
Statement type: