1
0
secret_loader/README.md
2024-07-08 19:10:04 +02:00

1.8 KiB

Secret Loader System.

System for loading secrets from a variety of sources.

Usage:

import secret_loader
secrets = secret_loader.SecretLoader(env_key_prefix = 'MYAPP')

db_username = secrets.load_or_fail('DATABASE_USERNAME')
db_password = secrets.load_or_fail('DATABASE_PASSWORD')

Secret loading order:

  1. Hardcoded values. This is purely for debugging, prototyping, and for configuring below options.
  2. Files pointed to by environment variables. Docker friendly.
  3. Secrets folder. Also Docker friendly.
  4. Pass: the standard unix password manager. Most suited for personal usage; very unsuited for server environments. Requires pass installed locally, and configuration of the PASS_STORE_SUBFOLDER through one of the above methods.
  5. Vault instance if configured. Suited for production environments.

TODO

  • Avoid leakage to swap files.
  • Wrap secrets in intelligent strings:
    • Instead of returning None on unloaded, return UnknownSecret, that produce error when formatted.
    • repr(secret) should not include contents, but only the secret and how it was loaded.
    • Methods on Secret should be kept minimal.
  • Vault:
    • Ensure vault code path works.
    • Document usage and requirements.

License

Copyright 2024 Jon Michael Aanes. All rights reserved.