takunomi-build-bot
3832381885
This commit was automatically generated by a script: https://gitfub.space/Jmaa/python-omni
1.8 KiB
1.8 KiB
Secret Loader System.
System for loading secrets from a variety of sources.
Usage:
import secret_loader
secrets = secret_loader.SecretLoader(env_key_prefix = 'MYAPP')
db_username = secrets.load_or_fail('DATABASE_USERNAME')
db_password = secrets.load_or_fail('DATABASE_PASSWORD')
Secret loading order:
- Hardcoded values. This is purely for debugging, prototyping, and for configuring below options.
- Files pointed to by environment variables. Docker friendly.
- Secrets folder. Also Docker friendly.
- Pass: the standard unix password
manager. Most suited for personal
usage; very unsuited for server environments. Requires
pass
installed locally, and configuration of thePASS_STORE_SUBFOLDER
through one of the above methods. - Vault instance if configured. Suited for production environments.
TODO
- Avoid leakage to swap files.
- Possibly Mlock? Does not seem to work
- Alternatively use mmap and memoryview?§
- Wrap secrets in intelligent strings:
- Instead of returning None on unloaded, return UnknownSecret, that produce error when formatted.
repr(secret)
should not include contents, but only the secret and how it was loaded.- Methods on
Secret
should be kept minimal.
- Vault:
- Ensure vault code path works.
- Document usage and requirements.
License
Copyright 2024 Jon Michael Aanes. All rights reserved.