read env secrets from aws secrets manager

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for Deepak-coder80 from gravatar.com Deepak-coder80

Unverified details

These details have not been verified by PyPI
Meta
Report project as malware

Project description

AWS Secrets Manager Helper

A Python package that provides a simple and robust way to retrieve secrets from AWS Secrets Manager with automatic fallback to role-based authentication.

Features

  • Dual Authentication Strategy: Attempts direct access first, then falls back to STS role-based authentication
  • Async Support: Built with async/await for non-blocking operations
  • Flexible Secret Handling: Supports both JSON string and binary secret formats
  • Error Handling: Comprehensive error handling with meaningful error messages
  • Easy Integration: Simple function interface that works with existing AWS configurations

Installation

pip install sm_env_read

Requirements

  • Python 3.7+
  • Valid AWS credentials (either through environment variables, IAM roles, or AWS CLI configuration)

Usage

Basic Usage

import asyncio
from aws_secrets_helper import get_env_secrets_from_sm

async def main():
    secrets = await get_env_secrets_from_sm(
        account_id="123456789012",
        region="us-east-1",
        role_name="MySecretsRole",
        secret_name="my-app/prod/secrets"
    )
    
    # Access your secrets
    db_password = secrets.get("database_password")
    api_key = secrets.get("api_key")
    
    print(f"Retrieved {len(secrets)} secrets")

# Run the async function
asyncio.run(main())

Django Integration

# settings.py
import asyncio
from aws_secrets_helper import get_env_secrets_from_sm

async def load_secrets():
    return await get_env_secrets_from_sm(
        account_id="123456789012",
        region="us-east-1",
        role_name="DjangoSecretsRole",
        secret_name="django/prod/secrets"
    )

# Load secrets synchronously in Django settings
secrets = asyncio.run(load_secrets())

# Use secrets in your Django settings
DATABASES = {
    'default': {
        'ENGINE': 'django.db.backends.postgresql',
        'NAME': secrets.get('db_name'),
        'USER': secrets.get('db_user'),
        'PASSWORD': secrets.get('db_password'),
        'HOST': secrets.get('db_host'),
        'PORT': secrets.get('db_port', '5432'),
    }
}

SECRET_KEY = secrets.get('django_secret_key')

FastAPI Integration

from fastapi import FastAPI
from aws_secrets_helper import get_env_secrets_from_sm
import asyncio

app = FastAPI()

# Load secrets at startup
@app.on_event("startup")
async def startup_event():
    app.state.secrets = await get_env_secrets_from_sm(
        account_id="123456789012",
        region="us-east-1",
        role_name="FastAPISecretsRole",
        secret_name="fastapi/prod/secrets"
    )

@app.get("/")
async def root():
    # Access secrets from app state
    api_key = app.state.secrets.get("external_api_key")
    return {"message": "Hello World", "api_configured": bool(api_key)}

Error Handling

import asyncio
from aws_secrets_helper import get_env_secrets_from_sm
from botocore.exceptions import ClientError

async def safe_get_secrets():
    try:
        secrets = await get_env_secrets_from_sm(
            account_id="123456789012",
            region="us-east-1",
            role_name="MySecretsRole",
            secret_name="my-app/prod/secrets"
        )
        return secrets
    except ClientError as e:
        error_code = e.response['Error']['Code']
        if error_code == 'SecretNotFound':
            print("Secret not found")
        elif error_code == 'AccessDenied':
            print("Access denied - check IAM permissions")
        else:
            print(f"AWS error: {error_code}")
        return {}
    except Exception as e:
        print(f"Unexpected error: {e}")
        return {}

secrets = asyncio.run(safe_get_secrets())

Authentication Methods

The function uses a linear approach to authentication:

  1. Direct Access: Uses default AWS credentials (environment variables, IAM instance profile, or AWS CLI configuration)
  2. Role-Based Access: If direct access fails, assumes the specified IAM role using STS

Required IAM Permissions

For the executing environment:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetSecretValue"
            ],
            "Resource": "arn:aws:secretsmanager:REGION:ACCOUNT:secret:SECRET_NAME*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": "arn:aws:iam::ACCOUNT:role/ROLE_NAME"
        }
    ]
}

For the assumed role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetSecretValue"
            ],
            "Resource": "arn:aws:secretsmanager:REGION:ACCOUNT:secret:SECRET_NAME*"
        }
    ]
}

Secret Format

The function expects secrets to be stored as JSON in AWS Secrets Manager:

{
    "database_password": "super_secret_password",
    "api_key": "your_api_key_here",
    "encryption_key": "base64_encoded_key"
}

Parameters

  • account_id (str): AWS account ID where the secret is stored
  • region (str): AWS region where the secret is located
  • role_name (str): IAM role name to assume if direct access fails
  • secret_name (str): Name or ARN of the secret in AWS Secrets Manager

Return Value

Returns a dictionary containing the secret key-value pairs parsed from the JSON stored in AWS Secrets Manager.

Contributing

  1. Fork the repository
  2. Create a feature branch
  3. Make your changes
  4. Add tests
  5. Submit a pull request

License

This project is licensed under the MIT License - see the LICENSE file for details.

Support

For issues and questions, please create an issue on the GitHub repository.

Changelog

v1.0.0

  • Initial release
  • Support for dual authentication strategy
  • Async/await support
  • Comprehensive error handling

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for Deepak-coder80 from gravatar.com Deepak-coder80

Unverified details

These details have not been verified by PyPI
Meta

Release history Release notifications | RSS feed

1.1.0

1.0.4

1.0.3

1.0.2

1.0.1

This version

1.0.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

sm_env_read-1.0.0.tar.gz (4.0 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

sm_env_read-1.0.0-py3-none-any.whl (4.3 kB view details)

Uploaded Python 3

File details

Details for the file sm_env_read-1.0.0.tar.gz.

File metadata

  • Download URL: sm_env_read-1.0.0.tar.gz
  • Upload date:
  • Size: 4.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.12.3

File hashes

Hashes for sm_env_read-1.0.0.tar.gz
Algorithm Hash digest
SHA256 2f64e0222df80f34ae3b7a2e3f68fddf56e5fb26eccc2dffe610b008733f1c5a
MD5 8e036dd6814af2681cb18af426bafaa9
BLAKE2b-256 c7d370e850ab4559b250c134ed6661a6a854983d2fcdeaaa94d6588344c988d6

See more details on using hashes here.

File details

Details for the file sm_env_read-1.0.0-py3-none-any.whl.

File metadata

  • Download URL: sm_env_read-1.0.0-py3-none-any.whl
  • Upload date:
  • Size: 4.3 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.12.3

File hashes

Hashes for sm_env_read-1.0.0-py3-none-any.whl
Algorithm Hash digest
SHA256 1a9c87cdd75ba742935f6a6b3fbcb5b3b471637f26ca67abfef712ceaa2d4336
MD5 7f3fb075d7c15ae1e14ea8279b1825bb
BLAKE2b-256 0adf794aa696da441a05906cdb9e0e4fb5d2ab668fd1270e10ea0ac90d6086b2

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page