read env secrets from aws secrets manager

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for Deepak-coder80 from gravatar.com Deepak-coder80

Unverified details

These details have not been verified by PyPI
Meta
Report project as malware

Project description

AWS Secrets Manager Helper

A Python package that provides a simple and robust way to retrieve secrets from AWS Secrets Manager with automatic fallback to role-based authentication.

Features

  • Dual Authentication Strategy: Attempts direct access first, then falls back to STS role-based authentication
  • Async Support: Built with async/await for non-blocking operations
  • Flexible Secret Handling: Supports both JSON string and binary secret formats
  • Error Handling: Comprehensive error handling with meaningful error messages
  • Easy Integration: Simple function interface that works with existing AWS configurations

Installation

pip install sm_env_read

Requirements

  • Python 3.7+
  • Valid AWS credentials (either through environment variables, IAM roles, or AWS CLI configuration)

Usage

Basic Usage

import asyncio
from sm_env_read import get_env_secrets_from_sm

async def main():
    secrets = await get_env_secrets_from_sm(
        account_id="123456789012",
        region="us-east-1",
        role_name="MySecretsRole",
        secret_name="my-app/prod/secrets"
    )
    
    # Access your secrets
    db_password = secrets.get("database_password")
    api_key = secrets.get("api_key")
    
    print(f"Retrieved {len(secrets)} secrets")

# Run the async function
asyncio.run(main())

Django Integration

# settings.py
import asyncio
from sm_env_read import get_env_secrets_from_sm

async def load_secrets():
    return await get_env_secrets_from_sm(
        account_id="123456789012",
        region="us-east-1",
        role_name="DjangoSecretsRole",
        secret_name="django/prod/secrets"
    )

# Load secrets synchronously in Django settings
secrets = asyncio.run(load_secrets())

# Use secrets in your Django settings
DATABASES = {
    'default': {
        'ENGINE': 'django.db.backends.postgresql',
        'NAME': secrets.get('db_name'),
        'USER': secrets.get('db_user'),
        'PASSWORD': secrets.get('db_password'),
        'HOST': secrets.get('db_host'),
        'PORT': secrets.get('db_port', '5432'),
    }
}

SECRET_KEY = secrets.get('django_secret_key')

FastAPI Integration

from fastapi import FastAPI
from sm_env_read import get_env_secrets_from_sm
import asyncio

app = FastAPI()

# Load secrets at startup
@app.on_event("startup")
async def startup_event():
    app.state.secrets = await get_env_secrets_from_sm(
        account_id="123456789012",
        region="us-east-1",
        role_name="FastAPISecretsRole",
        secret_name="fastapi/prod/secrets"
    )

@app.get("/")
async def root():
    # Access secrets from app state
    api_key = app.state.secrets.get("external_api_key")
    return {"message": "Hello World", "api_configured": bool(api_key)}

Error Handling

import asyncio
from sm_env_read import get_env_secrets_from_sm
from botocore.exceptions import ClientError

async def safe_get_secrets():
    try:
        secrets = await get_env_secrets_from_sm(
            account_id="123456789012",
            region="us-east-1",
            role_name="MySecretsRole",
            secret_name="my-app/prod/secrets"
        )
        return secrets
    except ClientError as e:
        error_code = e.response['Error']['Code']
        if error_code == 'SecretNotFound':
            print("Secret not found")
        elif error_code == 'AccessDenied':
            print("Access denied - check IAM permissions")
        else:
            print(f"AWS error: {error_code}")
        return {}
    except Exception as e:
        print(f"Unexpected error: {e}")
        return {}

secrets = asyncio.run(safe_get_secrets())

Authentication Methods

The function uses a linear approach to authentication:

  1. Direct Access: Uses default AWS credentials (environment variables, IAM instance profile, or AWS CLI configuration)
  2. Role-Based Access: If direct access fails, assumes the specified IAM role using STS

Required IAM Permissions

For the executing environment:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetSecretValue"
            ],
            "Resource": "arn:aws:secretsmanager:REGION:ACCOUNT:secret:SECRET_NAME*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": "arn:aws:iam::ACCOUNT:role/ROLE_NAME"
        }
    ]
}

For the assumed role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetSecretValue"
            ],
            "Resource": "arn:aws:secretsmanager:REGION:ACCOUNT:secret:SECRET_NAME*"
        }
    ]
}

Secret Format

The function expects secrets to be stored as JSON in AWS Secrets Manager:

{
    "database_password": "super_secret_password",
    "api_key": "your_api_key_here",
    "encryption_key": "base64_encoded_key"
}

Parameters

  • account_id (str): AWS account ID where the secret is stored
  • region (str): AWS region where the secret is located
  • role_name (str): IAM role name to assume if direct access fails
  • secret_name (str): Name or ARN of the secret in AWS Secrets Manager

Return Value

Returns a dictionary containing the secret key-value pairs parsed from the JSON stored in AWS Secrets Manager.

Contributing

  1. Fork the repository
  2. Create a feature branch
  3. Make your changes
  4. Add tests
  5. Submit a pull request

License

This project is licensed under the MIT License - see the LICENSE file for details.

Support

For issues and questions, please create an issue on the GitHub repository.

Changelog

v1.0.0

  • Initial release
  • Support for dual authentication strategy
  • Async/await support
  • Comprehensive error handling

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for Deepak-coder80 from gravatar.com Deepak-coder80

Unverified details

These details have not been verified by PyPI
Meta

Release history Release notifications | RSS feed

1.1.0

1.0.4

1.0.3

1.0.2

This version

1.0.1

1.0.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

sm_env_read-1.0.1.tar.gz (4.0 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

sm_env_read-1.0.1-py3-none-any.whl (4.3 kB view details)

Uploaded Python 3

File details

Details for the file sm_env_read-1.0.1.tar.gz.

File metadata

  • Download URL: sm_env_read-1.0.1.tar.gz
  • Upload date:
  • Size: 4.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.12.3

File hashes

Hashes for sm_env_read-1.0.1.tar.gz
Algorithm Hash digest
SHA256 5d0a2f82a9b2c56f5bb54cce77221a0c68a748ac0497dfd7209b624881561d87
MD5 a63bea7c1785d397b30193840393c041
BLAKE2b-256 badd25a0157e617f7d26a11e7db15b526a95e4978ca82e09dceebdca33fb3ee8

See more details on using hashes here.

File details

Details for the file sm_env_read-1.0.1-py3-none-any.whl.

File metadata

  • Download URL: sm_env_read-1.0.1-py3-none-any.whl
  • Upload date:
  • Size: 4.3 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.12.3

File hashes

Hashes for sm_env_read-1.0.1-py3-none-any.whl
Algorithm Hash digest
SHA256 5b92a2c5616afd266792d9ed0b8de1f5f0253f7f838b6e19ede48c32e5e9f06c
MD5 9dea542cabe8c700f8d5c974a443077e
BLAKE2b-256 c5501566c54560ce73eec9e23bda7e5d948857543b4d4d9a8fac6ed959fee563

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page