Retrieve secrets in an ARN-like way from different vaults seamlessly, compatible with pydantic-settings.
Project description
vaultriever
Retrieve secrets in an ARN-like way from different vaults seamlessly, compatible with pydantic-settings — no custom field types, just str fields plus a reusable mixin.
Secret Resource Identifier (SRI)
Secrets are addressed with a 4-part string:
provider:region:secret_name:secret_key
| Provider | Example | Notes |
|---|---|---|
| AWS Secrets Manager | aws:us-east-1:my-secret:OPENAI_API_KEY |
Secret must be a JSON object; secret_key selects a key. |
| Databricks | databricks::my-secret-scope:OPENAI_API_KEY |
Empty region → default workspace/profile; non-empty region → CLI profile name. |
| Azure Key Vault | azure:<vault_or_region>:<secret_name>:<key_or_version> |
Planned. |
| GCP Secret Manager | gcp:<project_or_region>:<secret_name>:<key_or_version> |
Planned. |
Installation
pip install vaultriever[aws] # AWS Secrets Manager
pip install vaultriever[databricks] # Databricks (not needed on a Databricks runtime)
Usage
With pydantic-settings
from pydantic import Field, SecretStr
from pydantic_settings import BaseSettings
from vaultriever import SecretSRIMixin
class OpenAISettings(SecretSRIMixin, BaseSettings):
openai_api_key: str | SecretStr = Field(
default='aws:us-east-1:my-secret:OPENAI_API_KEY',
description='OpenAI API key; SRI or literal.',
)
settings = OpenAISettings()
settings.openai_api_key # SecretStr('**********') — masked
settings.openai_api_key.get_secret_value() # the resolved secret
Behavior:
str/SecretStrvalues that look like an SRI (and reference a registered provider) are resolved and wrapped inSecretStr, so they stay masked inrepr()and logs.- Everything else passes through unchanged — literals, URLs, non-string values.
- Validated values are also exported to
os.environunder the field name for downstream usage. This writes resolved secrets in plaintext to the process environment; opt out per model:
from typing import ClassVar
class MySettings(SecretSRIMixin, BaseSettings):
enable_env_export: ClassVar[bool] = False
api_key: str | SecretStr
Standalone
from vaultriever import is_sri, resolve_secret
is_sri('aws:us-east-1:my-secret:API_KEY') # True
resolve_secret('aws:us-east-1:my-secret:API_KEY') # 'sk-...'
Custom providers
from vaultriever import SecretProviderRegistry
from vaultriever.sri import SecretProperties
class MyVaultProvider:
name = 'myvault'
def get_secret_value(self, props: SecretProperties) -> str:
...
SecretProviderRegistry.register(MyVaultProvider())
# Now 'myvault:region:name:key' SRIs resolve through it.
Providers
AWS Secrets Manager
- Credentials come from the AWS SDK default chain (env vars, profile, IAM role).
- The region is required and taken from the SRI.
- Secret payloads are cached per
(secret_name, region)for the process lifetime; callAWSSecretProvider.clear_cache()after a rotation.
Databricks
- On a Databricks runtime, secrets are read via the native
dbutils. - Elsewhere, the databricks-sdk is used with default authentication, or with the CLI profile named by the SRI's region component (
databricks:staging:my-scope:MY_KEY).
Development
uv sync --all-extras --dev
uv run pytest
uv run ruff check .
uv run mypy
Releases are published to PyPI by pushing a vX.Y.Z tag.
License
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file vaultriever-0.1.0.tar.gz.
File metadata
- Download URL: vaultriever-0.1.0.tar.gz
- Upload date:
- Size: 126.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
1a25d5934dbecd13c22d0b5aaa19ace91e5358fdf642669d39a3930502658071
|
|
| MD5 |
ea9f37419ce77a187a2d467cbac7b4b2
|
|
| BLAKE2b-256 |
caa7681d28cf209b229a483af6feb4efcb870458b57579045399a1e036ff62a1
|
Provenance
The following attestation bundles were made for vaultriever-0.1.0.tar.gz:
Publisher:
pypi-publish.yml on DougTrajano/vaultriever
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
vaultriever-0.1.0.tar.gz -
Subject digest:
1a25d5934dbecd13c22d0b5aaa19ace91e5358fdf642669d39a3930502658071 - Sigstore transparency entry: 2074022323
- Sigstore integration time:
-
Permalink:
DougTrajano/vaultriever@364eedc35efd403784cc4f6171034931e0bdd90f -
Branch / Tag:
refs/tags/0.1.0 - Owner: https://github.com/DougTrajano
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
pypi-publish.yml@364eedc35efd403784cc4f6171034931e0bdd90f -
Trigger Event:
release
-
Statement type:
File details
Details for the file vaultriever-0.1.0-py3-none-any.whl.
File metadata
- Download URL: vaultriever-0.1.0-py3-none-any.whl
- Upload date:
- Size: 13.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
6d45c801cb067abc0e69667fc378423dd5855f8c2ce2b92e4a0e4d33c5e857f4
|
|
| MD5 |
2e6915bd404ce86cd43d7baf13dc3be4
|
|
| BLAKE2b-256 |
e09688385ba68f580ea0ef48d7ad31b2f5ec4a8c6ecbcd097a23fa3b1e917c1e
|
Provenance
The following attestation bundles were made for vaultriever-0.1.0-py3-none-any.whl:
Publisher:
pypi-publish.yml on DougTrajano/vaultriever
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
vaultriever-0.1.0-py3-none-any.whl -
Subject digest:
6d45c801cb067abc0e69667fc378423dd5855f8c2ce2b92e4a0e4d33c5e857f4 - Sigstore transparency entry: 2074022357
- Sigstore integration time:
-
Permalink:
DougTrajano/vaultriever@364eedc35efd403784cc4f6171034931e0bdd90f -
Branch / Tag:
refs/tags/0.1.0 - Owner: https://github.com/DougTrajano
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
pypi-publish.yml@364eedc35efd403784cc4f6171034931e0bdd90f -
Trigger Event:
release
-
Statement type: