Pydantic settings with vault-backed fallbacks.
Project description
vaultdantic
vaultdantic extends pydantic-settings with a vault-backed fallback source.
If you're already in the pydantic ecosystem, pydantic-settings makes it easy to specify your environment configuration as env files and load them at runtime. When you're working on a remote production app, you probably only need these global environment keys. But when you're working locally on side projects, it's way more convenient to store your environment parameters in a vault like 1Password. This lets you delete the contents of your machine and restore your secrets with a simple vault pull.
BaseSettings inputs continue to win in normal priority order (init args, env vars, .env, file
secrets), and the vault provider is only queried when required fields are still missing.
Usage
from pydantic import SecretStr
from pydantic_settings import BaseSettings, SettingsConfigDict
from vaultdantic import OnePasswordConfigDict, VaultMixin
class ExampleSettings(BaseSettings, VaultMixin):
model_config = SettingsConfigDict(
env_file=".env",
env_file_encoding="utf-8",
env_prefix="EXAMPLE_",
extra="ignore",
)
model_vault_config = OnePasswordConfigDict(
vault="Engineering",
entry="example-service",
)
api_token: SecretStr
workspace_id: str
When ExampleSettings() is created, values are resolved in this order:
pydantic-settingsloads normal sources first (__init__kwargs, environment,.env, and file secrets).- If required fields are still missing,
OnePasswordConfigDict.get_vars()is called and only missing keys are filled from the vault entry. - Any key already provided by earlier sources keeps precedence over vault values, then the final model is validated.
Vault field labels should use env-style keys (for example EXAMPLE_API_TOKEN, not api_token).
For nested fields, follow pydantic-settings rules: use env_nested_delimiter (for example
PARENT_CHILD__TOKEN when env_nested_delimiter="__").
Vault Providers
| Provider | Config Class |
|---|---|
| 1Password | OnePasswordConfigDict |
CLI
We also provide convenience methods to sync your vaults into an .env file, to make it easier to sync to a remote host or use in Docker. Sync all discovered vault values into .env:
uv run sync-vault-to-env
This will write your credentials in a special managed-by-vaultdantic section. We will overwrite this section on any subsequent syncs so we recommend leaving it alone.
# start managed by vaultdantic
...
# end managed by vaultdantic
Development
make sync
make lint
make test
make build
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file vaultdantic-0.1.2.tar.gz.
File metadata
- Download URL: vaultdantic-0.1.2.tar.gz
- Upload date:
- Size: 11.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.8.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
a929b5f0a7d2cc872658b3254ede6d236da27228446685c67d9b3c5001a1e2b3
|
|
| MD5 |
4b49347b08dfa7daafe835e078324f26
|
|
| BLAKE2b-256 |
c90a9fa4e5531ba9542aed68d53958ff39922be2e005826ed1cdeeaad28c0bbd
|
File details
Details for the file vaultdantic-0.1.2-py3-none-any.whl.
File metadata
- Download URL: vaultdantic-0.1.2-py3-none-any.whl
- Upload date:
- Size: 13.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.8.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
23b9989539d8ecc99ab7232ba38e397fb7a292e6b5b9a8e046eb31b746dfd51f
|
|
| MD5 |
9f2253d84ea00141a84024ae628f18eb
|
|
| BLAKE2b-256 |
d0ee885de0122655a29b103d4f28501787bba66dcd197c34417cfb05ae4e3400
|
