Type-safe secrets management and code generation for GCloud Secret Manager.
Project description
Vaultscribe
Vaultscribe is a tool for managing secrets. It's intended for solo devs and small teams. It uses Google Cloud Secret Manager to store secrets, and can sync secrets to multiple targets (gcloud run, cloudflare pages, etc). It also generates code so you can access the secrets in your apps.
GCloud Secret Manager offers 6 secrets for free. Vaultscribe bundles up all your secrets, and stores them in a single 'secret slot' - meaning you can practically store as many * secrets as you like.
Installation
uv add --dev vaultscribe
or
pip install vaultscribe
Quickstart
Prerequisites:
- Google Cloud SDK CLI installed, with Secret Manager set up (see below).
Quick Usage
# Scaffold a new project. This will create a vaultscribe.toml file.
vs init
# Fetch secrets from GCloud Secret Manager for 'prod' environment, store in '.secrets.prod' file. Unset secrets are left blank.
vs pull prod
# Push secrets from '.secrets.prod' to GCloud Secret Manager for 'prod' environment. Also generates code and syncs secrets to deploy targets.
vs push prod
# Fetch secrets from GCloud Secret Manager and display
vs show prod
Vaultscribe Concepts
Vaultscribe uses vaultscribe.toml to describe the secrets it manages. The secret values are NOT stored here. See `example/vaultscribe.toml' for an example file.
Environments
An environment is a collection of secrets that are deployed together. You can define as many environments as you like in your vaultscribe.toml file. For example, you can have a dev environment, a staging environment, and a prod environment.
# define as [envs.YOUR_NAME], for example
[envs.prod]
slot = "example-secrets-prod"
Targets
A target is a service that uses secrets. It has a 'type' for example, GCoud Run, or CloudFlare Pages. A type also has a flavour, for example Python/Pydantic, or Typescript/Vite.
# define as [targets.YOUR_NAME], for example
[targets.my-backend]
type = "gcloud_run"
flavour = "python:pydantic"
Secrets
These are the secrets that are synced from GCloud Secret Manager to the target environments. They cannot be synced to a frontend target like cloudflare_pages, as that would expose them in the browser.
# define as [secrets.YOUR_NAME], for example
[secrets.MY_SECRET_NAME]
sync_targets = ["my-backend"]
Public
These are values that are not actually secret, but are needed for running your application. For example, the URL of your backend API, or the API key for a service like Google Maps. These may be synced to any target.
# define as [public.YOUR_NAME], for example
[public.MY_PUBLIC_VALUE]
sync_targets = ["my-backend", "my-frontend"]
Vaultscribe Shell
When auth'ing to a sensitive service like secret management, you do not want to leave your credentials hanging around longer than you need. Unfortunately, Google Cloud does not offer a way to authenticate for a short period of time. So Vaultscribe offers a way to do your secrets work inside a shell that has a temporary authentication. It does this by getting you to authenticate, but then throwing away the refresh token. This gives you one hour to do your secrets work, then you will need to re-authenticate. The one hour is a Google thing, it cannot be adjusted.
# Start a vaultscribe shell
vs shell
Note that Vaultscribe does not require you to use the shell. You can always just run gcloud auth login and be permanently logged in. The idea of the shell is that you are intentional about doing secrets work - you won't do it accidentally.
Vaultscribe Run
If you want to run a script with all the secrets injected as environment variables, you can use the vs run command.
# Run a script with all the secrets injected as environment variables
vs run dev --target backend -- python your_script.py
GCloud Secrets Manager first time setup
# Enable Secret Manager for your project
gcloud services enable secretmanager.googleapis.com --project=YOUR_PROJECT_ID
GCloud Secret Manager Quotas
Each secret 'slot' in GCloud Secret Manager has a 64KiB size limit. See here. So while, to paraphrase, "64KiB ought to be enough for anybody", you may hit this limit if you have a very large number of secrets, or if you store really big secrets. If you hit the limit, you probably need a more 'enterprise-y' secrets manager.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file vaultscribe-0.2.0.tar.gz.
File metadata
- Download URL: vaultscribe-0.2.0.tar.gz
- Upload date:
- Size: 103.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
da0e8c35bca8839d15864cfcc48277e8b653f532786ed03ba28ffde9cf117b7f
|
|
| MD5 |
4d93b9409a698643d7e7816dab947484
|
|
| BLAKE2b-256 |
df23642aad113e547f4bd753390bb7128dec205984d4419813f7341d7a4377e2
|
Provenance
The following attestation bundles were made for vaultscribe-0.2.0.tar.gz:
Publisher:
release.yml on lawther/vaultscribe
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
vaultscribe-0.2.0.tar.gz -
Subject digest:
da0e8c35bca8839d15864cfcc48277e8b653f532786ed03ba28ffde9cf117b7f - Sigstore transparency entry: 1408211610
- Sigstore integration time:
-
Permalink:
lawther/vaultscribe@83bb726f16ac8b3a53f59c39d2023e9e1a65a384 -
Branch / Tag:
refs/heads/main - Owner: https://github.com/lawther
-
Access:
private
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@83bb726f16ac8b3a53f59c39d2023e9e1a65a384 -
Trigger Event:
push
-
Statement type:
File details
Details for the file vaultscribe-0.2.0-py3-none-any.whl.
File metadata
- Download URL: vaultscribe-0.2.0-py3-none-any.whl
- Upload date:
- Size: 50.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
94415d32012326707e46c5b720a8530f6294ac3cadf173d496d667ba23c75ff3
|
|
| MD5 |
2edf246754f040875059ad5e3bc0cea1
|
|
| BLAKE2b-256 |
3976b0a49c7cc296a3a0cad94680b24aab20daab73cf976a46ce38f4d8e21e64
|
Provenance
The following attestation bundles were made for vaultscribe-0.2.0-py3-none-any.whl:
Publisher:
release.yml on lawther/vaultscribe
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
vaultscribe-0.2.0-py3-none-any.whl -
Subject digest:
94415d32012326707e46c5b720a8530f6294ac3cadf173d496d667ba23c75ff3 - Sigstore transparency entry: 1408211724
- Sigstore integration time:
-
Permalink:
lawther/vaultscribe@83bb726f16ac8b3a53f59c39d2023e9e1a65a384 -
Branch / Tag:
refs/heads/main - Owner: https://github.com/lawther
-
Access:
private
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@83bb726f16ac8b3a53f59c39d2023e9e1a65a384 -
Trigger Event:
push
-
Statement type: