Skip to main content

Retrieve secrets in an ARN-like way from different vaults seamlessly, compatible with pydantic-settings.

Project description

vaultriever

Retrieve secrets in an ARN-like way from different vaults seamlessly, compatible with pydantic-settings — no custom field types, just str fields plus a reusable mixin.

Secret Resource Identifier (SRI)

Secrets are addressed with a 4-part string:

provider:qualifier:secret_name:secret_key
Provider Example Notes
AWS Secrets Manager aws:us-east-1:my-secret:OPENAI_API_KEY Secret must be a JSON object; secret_key selects a key.
Databricks databricks::my-secret-scope:OPENAI_API_KEY Empty qualifier → default workspace/profile; non-empty qualifier → CLI profile name.
Azure Key Vault azure:my-vault:my-secret:latest Single-value secret; secret_key is the version (latest or a version id).
GCP Secret Manager gcp:my-project:my-secret:latest Single-value secret; secret_key is the version (latest or a version number).

Installation

pip install vaultriever[aws]         # AWS Secrets Manager
pip install vaultriever[databricks]  # Databricks (not needed on a Databricks runtime)
pip install vaultriever[azure]       # Azure Key Vault
pip install vaultriever[gcp]         # GCP Secret Manager

Usage

With pydantic-settings

from pydantic import Field, SecretStr
from pydantic_settings import BaseSettings
from vaultriever import SecretSRIMixin


class OpenAISettings(SecretSRIMixin, BaseSettings):
    openai_api_key: str | SecretStr = Field(
        default='aws:us-east-1:my-secret:OPENAI_API_KEY',
        description='OpenAI API key; SRI or literal.',
    )


settings = OpenAISettings()
settings.openai_api_key                     # SecretStr('**********') — masked
settings.openai_api_key.get_secret_value()  # the resolved secret

Behavior:

  • str / SecretStr values that look like an SRI (and reference a registered provider) are resolved and wrapped in SecretStr, so they stay masked in repr() and logs.
  • Everything else passes through unchanged — literals, URLs, non-string values.
  • Validated values are also exported to os.environ under the field name for downstream usage by default. This writes resolved secrets in plaintext to the process environment; see the opt out instructions and disable it per model:
from typing import ClassVar


class MySettings(SecretSRIMixin, BaseSettings):
    enable_env_export: ClassVar[bool] = False

    api_key: str | SecretStr

Standalone

from vaultriever import is_sri, resolve_secret

is_sri('aws:us-east-1:my-secret:API_KEY')          # True
resolve_secret('aws:us-east-1:my-secret:API_KEY')  # 'sk-...'

Custom providers

from vaultriever import SecretProviderRegistry
from vaultriever.sri import SecretProperties


class MyVaultProvider:
    name = 'myvault'

    def get_secret_value(self, props: SecretProperties) -> str:
        ...


SecretProviderRegistry.register(MyVaultProvider())
# Now 'myvault:qualifier:name:key' SRIs resolve through it.

Providers

AWS Secrets Manager

  • Credentials come from the AWS SDK default chain (env vars, profile, IAM role).
  • The region is required and taken from the SRI.
  • Secret payloads are cached per (secret_name, region) for the process lifetime; call AWSSecretProvider.clear_cache() after a rotation.

Databricks

  • On a Databricks runtime, secrets are read via the native dbutils.
  • Elsewhere, the databricks-sdk is used with default authentication, or with the CLI profile named by the SRI's qualifier component (databricks:staging:my-scope:MY_KEY).

Azure Key Vault

  • Credentials come from DefaultAzureCredential (env vars, managed identity, Azure CLI, etc.).
  • The qualifier is the vault name; the provider builds the vault URL as https://<vault_name>.vault.azure.net/.
  • Secret values are cached per (vault_name, secret_name, version) for the process lifetime; call AzureSecretProvider.clear_cache() after a rotation.

GCP Secret Manager

  • Credentials come from Application Default Credentials (ADC).
  • The qualifier is the GCP project id; the provider builds the resource name projects/<project_id>/secrets/<secret_name>/versions/<version>.
  • Secret values are cached per (project_id, secret_name, version) for the process lifetime; call GCPSecretProvider.clear_cache() after a rotation.

Development

uv sync --all-extras --dev
uv run pytest
uv run ruff check .
uv run mypy

Run uv run pre-commit install once so ruff format, ruff check --fix, and mypy run automatically on git commit — this is the same pre-commit config the CI lint job runs, so a clean local commit means CI lint will pass too.

Releases are published to PyPI by pushing a vX.Y.Z tag.

License

MIT

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

vaultriever-0.2.0.tar.gz (142.4 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

vaultriever-0.2.0-py3-none-any.whl (15.5 kB view details)

Uploaded Python 3

File details

Details for the file vaultriever-0.2.0.tar.gz.

File metadata

  • Download URL: vaultriever-0.2.0.tar.gz
  • Upload date:
  • Size: 142.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for vaultriever-0.2.0.tar.gz
Algorithm Hash digest
SHA256 e652d6087bd7dbe08cea77dd817bc206d11d0d81924f2e404d2be421ad524df7
MD5 18227b38423581fe1f07c743fbb97cc6
BLAKE2b-256 945cc0a6f1be4fe8cd402027def91f682ccd54e56adcfcc9b7454fc9d335f83c

See more details on using hashes here.

Provenance

The following attestation bundles were made for vaultriever-0.2.0.tar.gz:

Publisher: pypi-publish.yml on DougTrajano/vaultriever

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file vaultriever-0.2.0-py3-none-any.whl.

File metadata

  • Download URL: vaultriever-0.2.0-py3-none-any.whl
  • Upload date:
  • Size: 15.5 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for vaultriever-0.2.0-py3-none-any.whl
Algorithm Hash digest
SHA256 f000edc0020a9850cfa6609eb83fb904949fe9ca81fe856b912eac7f21481888
MD5 386bd6a78c5f8ae37275fa76b68d7e88
BLAKE2b-256 cd6f58e6dcc3ccd64c027ec0ebd212d8e2c150baf0c5225d040f681b2601e1c1

See more details on using hashes here.

Provenance

The following attestation bundles were made for vaultriever-0.2.0-py3-none-any.whl:

Publisher: pypi-publish.yml on DougTrajano/vaultriever

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page