read env secrets from aws secrets manager

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for Deepak-coder80 from gravatar.com Deepak-coder80

Unverified details

These details have not been verified by PyPI
Meta
Report project as malware

Project description

AWS Secrets Manager Helper

A Python package that provides a simple and robust way to retrieve secrets from AWS Secrets Manager with automatic fallback to role-based authentication.

Features

  • Dual Authentication Strategy: Attempts direct access first, then falls back to STS role-based authentication
  • Flexible Secret Handling: Supports both JSON string and binary secret formats
  • Error Handling: Comprehensive error handling with meaningful error messages
  • Easy Integration: Simple function interface that works with existing AWS configurations

Installation

pip install sm_env_read

Requirements

  • Python 3.7+
  • Valid AWS credentials (either through environment variables, IAM roles, or AWS CLI configuration)

Usage

Basic Usage

from sm_env_read import get_env_secrets_from_sm

def main():
    secrets =  get_env_secrets_from_sm(
        account_id="123456789012",
        region="us-east-1",
        role_name="MySecretsRole",
        secret_name="my-app/prod/secrets"
    )
    
    # Access your secrets
    db_password = secrets.get("database_password")
    api_key = secrets.get("api_key")
    
    print(f"Retrieved {len(secrets)} secrets")

# Run the async function
main()

Django Integration

# settings.py
from sm_env_read import get_env_secrets_from_sm

def load_secrets():
    return  get_env_secrets_from_sm(
        account_id="123456789012",
        region="us-east-1",
        role_name="DjangoSecretsRole",
        secret_name="django/prod/secrets"
    )

# Load secrets synchronously in Django settings
secrets = load_secrets()

# Use secrets in your Django settings
DATABASES = {
    'default': {
        'ENGINE': 'django.db.backends.postgresql',
        'NAME': secrets.get('db_name'),
        'USER': secrets.get('db_user'),
        'PASSWORD': secrets.get('db_password'),
        'HOST': secrets.get('db_host'),
        'PORT': secrets.get('db_port', '5432'),
    }
}

SECRET_KEY = secrets.get('django_secret_key')

FastAPI Integration

from fastapi import FastAPI
from sm_env_read import get_env_secrets_from_sm
import asyncio

app = FastAPI()

# Load secrets at startup
@app.on_event("startup")
def startup_event():
    app.state.secrets =  get_env_secrets_from_sm(
        account_id="123456789012",
        region="us-east-1",
        role_name="FastAPISecretsRole",
        secret_name="fastapi/prod/secrets"
    )

@app.get("/")
def root():
    # Access secrets from app state
    api_key = app.state.secrets.get("external_api_key")
    return {"message": "Hello World", "api_configured": bool(api_key)}

Error Handling

from sm_env_read import get_env_secrets_from_sm
from botocore.exceptions import ClientError

async def safe_get_secrets():
    try:
        secrets =  get_env_secrets_from_sm(
            account_id="123456789012",
            region="us-east-1",
            role_name="MySecretsRole",
            secret_name="my-app/prod/secrets"
        )
        return secrets
    except ClientError as e:
        error_code = e.response['Error']['Code']
        if error_code == 'SecretNotFound':
            print("Secret not found")
        elif error_code == 'AccessDenied':
            print("Access denied - check IAM permissions")
        else:
            print(f"AWS error: {error_code}")
        return {}
    except Exception as e:
        print(f"Unexpected error: {e}")
        return {}

secrets = safe_get_secrets()

Authentication Methods

The function uses a linear approach to authentication:

  1. Direct Access: Uses default AWS credentials (environment variables, IAM instance profile, or AWS CLI configuration)
  2. Role-Based Access: If direct access fails, assumes the specified IAM role using STS

Required IAM Permissions

For the executing environment:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetSecretValue"
            ],
            "Resource": "arn:aws:secretsmanager:REGION:ACCOUNT:secret:SECRET_NAME*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": "arn:aws:iam::ACCOUNT:role/ROLE_NAME"
        }
    ]
}

For the assumed role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetSecretValue"
            ],
            "Resource": "arn:aws:secretsmanager:REGION:ACCOUNT:secret:SECRET_NAME*"
        }
    ]
}

Secret Format

The function expects secrets to be stored as JSON in AWS Secrets Manager:

{
    "database_password": "super_secret_password",
    "api_key": "your_api_key_here",
    "encryption_key": "base64_encoded_key"
}

Parameters

  • account_id (str): AWS account ID where the secret is stored
  • region (str): AWS region where the secret is located
  • role_name (str): IAM role name to assume if direct access fails
  • secret_name (str): Name of the secret in AWS Secrets Manager

Return Value

Returns a dictionary containing the secret key-value pairs parsed from the JSON stored in AWS Secrets Manager.

License

This project is licensed under the Apache License 2.0 - see the LICENSE file for details.

Third-Party Licenses

This package uses the following open source libraries: boto3: Licensed under the (Apache License 2.0)[https://github.com/boto/boto3/blob/develop/LICENSE]. Copyright Amazon.com, Inc. or its affiliates.

Support

For issues and questions, please create an issue on the GitHub repository.

Changelog

v1.0.4

  • Initial release
  • Support for dual authentication strategy
  • Comprehensive error handling

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for Deepak-coder80 from gravatar.com Deepak-coder80

Unverified details

These details have not been verified by PyPI
Meta

Release history Release notifications | RSS feed

This version

1.1.0

1.0.4

1.0.3

1.0.2

1.0.1

1.0.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

sm_env_read-1.1.0.tar.gz (4.0 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

sm_env_read-1.1.0-py3-none-any.whl (4.3 kB view details)

Uploaded Python 3

File details

Details for the file sm_env_read-1.1.0.tar.gz.

File metadata

  • Download URL: sm_env_read-1.1.0.tar.gz
  • Upload date:
  • Size: 4.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.12.3

File hashes

Hashes for sm_env_read-1.1.0.tar.gz
Algorithm Hash digest
SHA256 217dbfb83b98ed1c470b68a2f00cb8a2b0672ff2cd7879de4cf7acb82ad30a5a
MD5 85daa8fe1c6d24adf096d2a396250bb4
BLAKE2b-256 275acc0065af5dc14e743a7b8ad69e4ca3303d4caeb0443c084067fc9dc46ba1

See more details on using hashes here.

File details

Details for the file sm_env_read-1.1.0-py3-none-any.whl.

File metadata

  • Download URL: sm_env_read-1.1.0-py3-none-any.whl
  • Upload date:
  • Size: 4.3 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.12.3

File hashes

Hashes for sm_env_read-1.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 4fb551bc33ce2f3fa78d4f478171c7ed5166fa38105611b4793fdacbbe22fa75
MD5 e9d8d025e5293dd30e04f43aa9466666
BLAKE2b-256 6d9f8cf8a3271ca17dec9138cba0fc4859d960adfaec245a57fad6ce9f26df28

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page