Django AWS SecretsManager
Django AWS SecretsManager is a package that helps you manage the secret values used by Django through AWS's SecretsManager service.
Requirements
- Python >= 3.6
- Django
Required settings for the settings module
-
AWS_SECRETS_MANAGER_SECRETS_NAME (or AWS_SECRETS_NAME)
- Secret name of SecretsManager to use
-
AWS_SECRETS_MANAGER_SECRETS_SECTION (or AWS_SECRETS_SECTION)
- The key that separates JSON objects by colons.
ex) In the example below, the "production" item is represented as "sample-project:production".
- The key that separates JSON objects by colons.
-
AWS_SECRETS_MANAGER_REGION_NAME (or AWS_REGION_NAME)
-
Region of the SecretsManager service to use
ex) ap-northeast-2
-
Region of the SecretsManager service to use
Secret value setting of AWS SecretsManager
SecretsManager's Secret value uses JSON format in Plaintext.
Here is an example Secret value to use for configuration, and the Secret (Corresponds to AWS_SECRETS_MANAGER_SECRETS_NAME in the settings module) is named sample-project-secret
{
"sample-project(Recommend the name of django project)": {
"base(If the settings module is a package, submodule names are recommended)": {
"SECRET_KEY": "DjangoSecretKey"
},
"dev": {
"AWS_S3_BUCKET_NAME": "sample-s3-dev"
},
"production": {
"AWS_S3_BUCKET_NAME": "sample-s3-production"
}
}
}Setting up AWS Credentials for Django to use
Django uses two methods to access the SecretsManager on AWS. The first uses a profile of ~/.aws/credentials in your home folder, and the second uses an environment variable.
1. Using the AWS Credentials Profile
Recommended for use in development environments
Set Profile of IAM User with SecretsManagerReadWrite Permission to ~/.aws/credentials. The following example uses the profile name sample-project-secretsmanager
[sample-project-secretsmanager]
aws_access_key_id = AKI*************
aws_secret_access_key = Mlp********************Then enter the profile name in AWS_SECRETS_MANAGER_PROFILE (or AWS_PROFILE) of the settings module.
# settings.py
AWS_SECRETS_MANAGER_PROFILE = 'sample-project-secrets-manager'2. Use environment variables
It is recommended to use in distribution or CI / CD environment.
If you set the following values in the environment variable, the contents are used to use the SecretsManager service.
- AWS_SECRETS_MANAGER_ACCESS_KEY_ID (or AWS_ACCESS_KEY_ID)
- AWS_SECRETS_MANAGER_SECRET_ACCESS_KEY (or AWS_SECRET_ACCESS_KEY)
Using Secrets in Django's Settings Module
- First, import the SECRETS instance of the library.
- Enter the settings for Django AWS SecretsManager
- Use SECRETS as a dictionary to get the secrets you want
Follow the form of the example below
By separating the settings module into packages, it is assumed that there are base and dev submodules.
settings/ __init__.py base.py dev.py
## settings/base.py
# 1. Import the SECRETS instance of the library
from aws_secrets import SECRETS
# 2. Enter the settings for Django AWS SecretsManager
AWS_SECRETS_MANAGER_SECRETS_NAME = 'sample-project-secret'
AWS_SECRETS_MANAGER_PROFILE = 'sample-project-secretsmanager'
AWS_SECRETS_MANAGER_SECRETS_SECTION = 'sample-project:base'
AWS_SECRETS_MANAGER_REGION_NAME = 'ap-northeast-2'
# 3. Use SECRETS as a dictionary to get the secrets you want
SECRET_KEY = SECRETS['SECRET_KEY']
SECRET_KEY = SECRETS.get('SECRET_KEY')## settings/dev.py
# The SECRETS instance is already imported from the base module.
from .base import *
# Use a different secrets section
AWS_SECRETS_MANAGER_SECRETS_SECTION = 'sample-project:dev'
# Use SECRETS as a dictionary to get the secrets you want
AWS_STORAGE_BUCKET_NAME = SECRETS['AWS_STORAGE_BUCKET_NAME']
AWS_STORAGE_BUCKET_NAME = SECRETS.get('AWS_STORAGE_BUCKET_NAME', 'default')Contributing
As an open source project, we welcome contributions.
The code lives on GitHub
