Skip to main content

Type-safe secrets management and code generation for GCloud Secret Manager.

Project description

Vaultscribe

Vaultscribe is a tool for managing secrets. It's intended for solo devs and small teams. It uses Google Cloud Secret Manager to store secrets, and can sync secrets to multiple targets (gcloud run, cloudflare pages, etc). It also generates code so you can access the secrets in your apps.

GCloud Secret Manager offers 6 secrets for free. Vaultscribe bundles up all your secrets, and stores them in a single 'secret slot' - meaning you can practically store as many * secrets as you like.

Installation

uv add --dev vaultscribe

or

pip install vaultscribe

Quickstart

Prerequisites:

  • Google Cloud SDK CLI installed, with Secret Manager set up (see below).

Quick Usage

# Scaffold a new project. This will create a vaultscribe.toml file.
vs init       
# Fetch secrets from GCloud Secret Manager for 'prod' environment, store in '.secrets.prod' file. Unset secrets are left blank.
vs pull prod  
# Push secrets from '.secrets.prod' to GCloud Secret Manager for 'prod' environment. Also generates code and syncs secrets to deploy targets.
vs push prod  
# Fetch secrets from GCloud Secret Manager and display
vs show prod  

Vaultscribe Concepts

Vaultscribe uses vaultscribe.toml to describe the secrets it manages. The secret values are NOT stored here. See `example/vaultscribe.toml' for an example file.

Environments

An environment is a collection of secrets that are deployed together. You can define as many environments as you like in your vaultscribe.toml file. For example, you can have a dev environment, a staging environment, and a prod environment.

# define as [envs.YOUR_NAME], for example
[envs.prod]
slot = "example-secrets-prod"

Targets

A target is a service that uses secrets. It has a 'type' for example, GCoud Run, or CloudFlare Pages. A type also has a flavour, for example Python/Pydantic, or Typescript/Vite.

# define as [targets.YOUR_NAME], for example
[targets.my-backend]
type = "gcloud_run"
flavour = "python:pydantic"

Secrets

These are the secrets that are synced from GCloud Secret Manager to the target environments. They cannot be synced to a frontend target like cloudflare_pages, as that would expose them in the browser.

# define as [secrets.YOUR_NAME], for example
[secrets.MY_SECRET_NAME]
sync_targets = ["my-backend"]

Public

These are values that are not actually secret, but are needed for running your application. For example, the URL of your backend API, or the API key for a service like Google Maps. These may be synced to any target.

# define as [public.YOUR_NAME], for example
[public.MY_PUBLIC_VALUE]
sync_targets = ["my-backend", "my-frontend"]

Vaultscribe Shell

When auth'ing to a sensitive service like secret management, you do not want to leave your credentials hanging around longer than you need. Unfortunately, Google Cloud does not offer a way to authenticate for a short period of time. So Vaultscribe offers a way to do your secrets work inside a shell that has a temporary authentication. It does this by getting you to authenticate, but then throwing away the refresh token. This gives you one hour to do your secrets work, then you will need to re-authenticate. The one hour is a Google thing, it cannot be adjusted.

# Start a vaultscribe shell
vs shell

Note that Vaultscribe does not require you to use the shell. You can always just run gcloud auth login and be permanently logged in. The idea of the shell is that you are intentional about doing secrets work - you won't do it accidentally.

Vaultscribe Run

If you want to run a script with all the secrets injected as environment variables, you can use the vs run command.

# Run a script with all the secrets injected as environment variables
vs run dev --target backend -- python your_script.py

GCloud Secrets Manager first time setup

# Enable Secret Manager for your project
gcloud services enable secretmanager.googleapis.com --project=YOUR_PROJECT_ID

GCloud Secret Manager Quotas

Each secret 'slot' in GCloud Secret Manager has a 64KiB size limit. See here. So while, to paraphrase, "64KiB ought to be enough for anybody", you may hit this limit if you have a very large number of secrets, or if you store really big secrets. If you hit the limit, you probably need a more 'enterprise-y' secrets manager.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

vaultscribe-0.2.0.tar.gz (103.4 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

vaultscribe-0.2.0-py3-none-any.whl (50.6 kB view details)

Uploaded Python 3

File details

Details for the file vaultscribe-0.2.0.tar.gz.

File metadata

  • Download URL: vaultscribe-0.2.0.tar.gz
  • Upload date:
  • Size: 103.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for vaultscribe-0.2.0.tar.gz
Algorithm Hash digest
SHA256 da0e8c35bca8839d15864cfcc48277e8b653f532786ed03ba28ffde9cf117b7f
MD5 4d93b9409a698643d7e7816dab947484
BLAKE2b-256 df23642aad113e547f4bd753390bb7128dec205984d4419813f7341d7a4377e2

See more details on using hashes here.

Provenance

The following attestation bundles were made for vaultscribe-0.2.0.tar.gz:

Publisher: release.yml on lawther/vaultscribe

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file vaultscribe-0.2.0-py3-none-any.whl.

File metadata

  • Download URL: vaultscribe-0.2.0-py3-none-any.whl
  • Upload date:
  • Size: 50.6 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for vaultscribe-0.2.0-py3-none-any.whl
Algorithm Hash digest
SHA256 94415d32012326707e46c5b720a8530f6294ac3cadf173d496d667ba23c75ff3
MD5 2edf246754f040875059ad5e3bc0cea1
BLAKE2b-256 3976b0a49c7cc296a3a0cad94680b24aab20daab73cf976a46ce38f4d8e21e64

See more details on using hashes here.

Provenance

The following attestation bundles were made for vaultscribe-0.2.0-py3-none-any.whl:

Publisher: release.yml on lawther/vaultscribe

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page