This commit is contained in:
parent
463f92167e
commit
4e74424955
SSH Key Fingerprint:
SHA256:Ab0GfHGCblESJx7JRE4fj4bFy/KRpeLhi41y4pF3sNA
|
|
@ -1,3 +1,29 @@
|
||||||
|
"""# Secret Loader System.
|
||||||
|
|
||||||
|
System for loading secrets from a variety of sources.
|
||||||
|
|
||||||
|
Usage:
|
||||||
|
|
||||||
|
```python
|
||||||
|
import secret_loader
|
||||||
|
secrets = secret_loader.SecretLoader(env_key_prefix = 'MYAPP')
|
||||||
|
|
||||||
|
db_username = secrets.load_or_fail('DATABASE_USERNAME')
|
||||||
|
db_password = secrets.load_or_fail('DATABASE_PASSWORD')
|
||||||
|
```
|
||||||
|
|
||||||
|
Secret loading order:
|
||||||
|
|
||||||
|
0. Hardcoded values. **This is purely for debugging and prototyping.**
|
||||||
|
1. Files pointed to by environment variables. Docker friendly.
|
||||||
|
2. Secrets folder. Also Docker friendly.
|
||||||
|
3. [Pass: the standard unix password
|
||||||
|
manager](https://www.passwordstore.org/). Most suited for personal
|
||||||
|
usage; very unsuited for server environments. Requires `pass` installed
|
||||||
|
locally, and configuration of the `PASS_FOLDER` through one of the above
|
||||||
|
methods.
|
||||||
|
4. Vault instance if configured. Suited for production environments.
|
||||||
|
"""
|
||||||
import logging
|
import logging
|
||||||
import os
|
import os
|
||||||
import subprocess
|
import subprocess
|
||||||
|
|
@ -19,23 +45,14 @@ ENV_KEY_VAULT_MOUNT_POINT = 'VAULT_MOUNT_POINT'
|
||||||
ENV_KEY_PASS_FOLDER = 'PASS_FOLDER'
|
ENV_KEY_PASS_FOLDER = 'PASS_FOLDER'
|
||||||
|
|
||||||
class SecretLoader:
|
class SecretLoader:
|
||||||
"""System for loading secrets from a variety of sources.
|
"""
|
||||||
|
Main entry point for loading secrets.
|
||||||
|
|
||||||
Priority order:
|
See module documentation for usage.
|
||||||
|
|
||||||
0. Hardcoded values. **This is purely for debugging and prototyping.**
|
|
||||||
1. Files pointed to by environment variables. Docker friendly.
|
|
||||||
2. Secrets folder. Also Docker friendly.
|
|
||||||
3. [Pass: the standard unix password
|
|
||||||
manager](https://www.passwordstore.org/). Most suited for personal
|
|
||||||
usage; very unsuited for server environments. Requires `pass` installed
|
|
||||||
locally, and configuration of the `PASS_FOLDER` through one of the above
|
|
||||||
methods.
|
|
||||||
4. Vault instance if configured. Suited for production environments.
|
|
||||||
"""
|
"""
|
||||||
|
|
||||||
def __init__(self, env_key_prefix: str, hardcoded: dict[str, str] | None = None):
|
def __init__(self, env_key_prefix: str, hardcoded: dict[str, str] | None = None):
|
||||||
assert not env_key_prefix.endswith('_')
|
assert not env_key_prefix.endswith('_'), 'Prefix must not end with _ (this will be added automatically)'
|
||||||
self.env_key_prefix = env_key_prefix
|
self.env_key_prefix = env_key_prefix
|
||||||
self.hardcoded: dict[str, str] = hardcoded if hardcoded is not None else {}
|
self.hardcoded: dict[str, str] = hardcoded if hardcoded is not None else {}
|
||||||
self.pass_folder = None
|
self.pass_folder = None
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue
Block a user