Extensions

This section provides documentation for built-in extensions for Keep It Secret.

AWS Secrets Manager Wrapper

Installation

Since AWS extension has external dependencies it needs to be explicitly named to be installed:

$ pip install keep_it_secret[aws]

API

class keep_it_secret.ext.aws.AWSSecrets(parent: Secrets | None = None)

Concrete keep_it_secret.Secrets subclass that maps environment variables to AWS credentials.

property access_key_id: Any

Maps AWS_ACCESS_KEY_ID environment variable. Optional, defaults to None.

Type:

str | None

property secret_access_key: Any

Maps AWS_SECRET_ACCESS_KEY environment variable. Optional, defaults to None.

Type:

str | None

property session_token: Any

Maps AWS_SESSION_TOKEN environment variable. Optional, defaults to None.

Type:

str | None

property region_name: Any

Maps AWS_DEFAULT_REGION environment variable. Optional, defaults to None.

Type:

str | None

as_boto3_client_kwargs() → dict[str, Any]

Return representation of the mapped variables for use in boto3.client() call.

class keep_it_secret.ext.aws.AWSSecretsManagerField(secret_id: str, default: ~typing.Any = None, decoder: ~typing.Callable = <function loads>, **field_options)

Concrete keep_it_secret.Field subclass that uses AWS Secrets Manager to resolve the value.

Parameters:

• secret_id – ID of the secret to fetch.

• default – Default value. Defaults to None.

• decoder – A callable to decode the fetched value. Defaults to json.loads().

classmethod new(secret_id: str, default: ~typing.Any = None, decoder: ~typing.Callable = <function loads>, **field_options) → AWSSecretsManagerField

The field factory. Constructs the field in a manner which is compatible with type annotations.

Positional arguments, keyword arguments and field_options are passed to the constructor.

get_value(secrets: Secrets) → Any

Retrieve, decode and return the secret specified by secret_id.

Depends on AWSSecrets to be declared in aws field on secrets or one of its parents.

Raises:

• DependencyMissing – Signal that secrets.aws field is missing.

• RequiredValueMissing – Signal the field’s value is required but secret_id is not present in the Secrets Manager.

Hashicorp Vault Wrapper

Installation

Since Vault extension has external dependencies it needs to be explicitly named to be installed:

$ pip install keep_it_secret[vault]

API

class keep_it_secret.ext.vault.BaseVaultSecrets(parent: Secrets | None = None)

Base keep_it_secret.Secrets subclass for Vault-base secrets.

property url: Any

Maps VAULT_URL environment variable.

Type:

str

property client_cert_path: Any

Maps VAULT_CLIENT_CERT_PATH environment variable.

Type:

str | None

property client_key_path: Any

Maps VAULT_CLIENT_KEY_PATH environment variable.

Type:

str | None

property server_cert_path: Any

Maps VAULT_SERVER_CERT_PATH environment variable.

Type:

str | None

as_hvac_client_kwargs() → dict[str, Any]

Return representation of the mapped variables for use in hvac.Client constructor.

get_client() → Client

Return the hvac.Client instance configured using the credentials.

class keep_it_secret.ext.vault.VaultSecrets(parent: Secrets | None = None)

Concrete BaseVaultSecrets subclass that uses token to authenticate with Vault.

property token: Any

Maps VAULT_TOKEN environment variable.

Type:

str

as_hvac_client_kwargs() → dict[str, Any]

Return representation of the mapped variables for use in hvac.Client constructor.

property client_cert_path: Any

property client_key_path: Any

property server_cert_path: Any

property url: Any

class keep_it_secret.ext.vault.AppRoleVaultSecrets(parent: Secrets | None = None)

Concrete BaseVaultSecrets subclass that uses app role to authenticate with Vault.

property role_id: Any

Maps VAULT_ROLE_ID environment variable.

Type:

str

property secret_id: Any

Maps VAULT_SECRET_ID environment variable.

Type:

str

get_client() → Client

Return the hvac.Client instance configured using the credentials.

property client_cert_path: Any

property client_key_path: Any

property server_cert_path: Any

property url: Any

class keep_it_secret.ext.vault.VaultKV2Field(mount_point: str, path: str, version: str | None = None, default: Any = None, **field_options)

Concrete keep_it_secret.Field subclass that uses Hashicorp Vault KV V2 secrets engine to resolve the value.

If as_type isn’t provided, the fetched value will be returned as-is ( i.e. as a dict). Otherwise, as_type should be a type which accepts kwargs representing the value’s keys in its constructor.

Parameters:

• mount_point – Mount path for the secret engine.

• path – Path to the secret to fetch.

• version – Version identifier. Defaults to None (aka the newest version).

• default – Default value. Defaults to None.

classmethod new(mount_point: str, path: str, version: str | None = None, default: Any = None, **field_options)

The field factory. Constructs the field in a manner which is compatible with type annotations.

Positional arguments, keyword arguments and field_options are passed to the constructor.

cast(data: Any) → Any

Cast data to the type specified in as_type argument of the constructor.

get_value(secrets: Secrets) → Any

Retrieve, decode and return the secret stored in a KV V2 secrets engine mounted at mount_path under the path path.

Depends on VaultSecrets to be declared in vault field on secrets or one of its parents.

Raises:

• DependencyMissing – Signal that secrets.aws field is missing.

• RequiredValueMissing – Signal the field’s value is required but secret_id is not present in the secrets engine.

Basic secrets loader

keep_it_secret.ext.loader.load_secrets(package: str, env: str, app: str) → Any

A basic secrets loader. Will attempt to import the secrets module and return the __secrets__ attribute.

Parameters:

• package – The package which contains the module.

• env – Environment identifier (e.g. development).

• app – Application identifier (e.g. weather_service).