System for loading secrets from a variety of sources.
takunomi-build-bot
54f906a3fc
This commit was automatically generated by a script: https://gitfub.space/Jmaa/python-omni |
||
---|---|---|
.gitea/workflows | ||
secret_loader | ||
test | ||
.gitignore | ||
LICENSE | ||
README.md | ||
requirements_test.txt | ||
requirements.txt | ||
ruff.toml | ||
setup.py |
Secret Loader System.
System for loading secrets from a variety of sources.
Usage:
import secret_loader
secrets = secret_loader.SecretLoader(env_key_prefix = 'MYAPP')
db_username = secrets.load_or_fail('DATABASE_USERNAME')
db_password = secrets.load_or_fail('DATABASE_PASSWORD')
Secret loading order:
- Hardcoded values. This is purely for debugging, prototyping, and for configuring below options.
- Files pointed to by environment variables. Docker friendly.
- Secrets folder. Also Docker friendly.
- Pass: the standard unix password
manager. Most suited for personal
usage; very unsuited for server environments. Requires
pass
installed locally, and configuration of thePASS_STORE_SUBFOLDER
through one of the above methods. - Vault instance if configured. Suited for production environments.
TODO
- Avoid leakage to swap files.
- Possibly Mlock? Does not seem to work
- Alternatively use mmap and memoryview?§
- Wrap secrets in intelligent strings:
- Instead of returning None on unloaded, return UnknownSecret, that produce error when formatted.
repr(secret)
should not include contents, but only the secret and how it was loaded.- Methods on
Secret
should be kept minimal.
- Vault:
- Ensure vault code path works.
- Document usage and requirements.
License
Copyright 2024 Jon Michael Aanes. All rights reserved.
License
Copyright (c) 2024 Jon Michael Aanes
All rights reserved.