Python 3.6+ library to manage your application secrets with Google Cloud KMS
How are my secrets stored?
Google KMS is a service that manage encryption keys for you. It also offer API calls to encrypt/decrypt arbitrary payloads with those keys. The Google KMS key is identified by a "resource id".
The secret store is a directory composed of:
- a special file to store the key id (
- files containing plaintext secrets
- files containing encrypted secrets with an
- files prefixed with
_, never encrypted
$ pip install appsecrets ...
import appsecrets secrets = appsecrets.Secrets('secrets/production') plaintext = secrets.decrypt('secret1')
Initialize the secret store:
$ appsecrets create secrets/production --google-kms projects/project-1/locations/global/keyRings/keyring1/cryptoKeys/key1
$ mkdir -p secrets/production $ echo 'projects/project-1/locations/global/keyRings/keyring1/cryptoKeys/key1' > secrets/production/_google_kms_key_id $ echo 'MYSECRET' > secrets/production/secret1
Check that all secrets are encrypted:
$ appsecrets check secrets/production
Encrypt all the plaintext secrets:
$ appsecrets encrypt secrets/production
Decrypt a single secret:
$ appsecrets decrypt secrets/production secret1
AppSecrets uses DevBuddy.
If you don't want to use DevBuddy, take a look at the file
dev.yml to know how the project
- Install DevBuddy
bud upto setup the development environment
Run the tests:
$ bud test
Create a new release:
$ bud release 0.4.0
Publish the release:
$ bud publish