get-aws-secret

Simplify retrieval of secrets from AWS SecretsManager. Optionally auto-memoize secrets in environment variables to improve performance and reduce costs.


License
Apache-2.0
Install
pip install get-aws-secret==0.2.0b3

Documentation

Get AWS Secret

Simplify retrieval of secrets from AWS SecretsManager. Optionally auto-memoize secrets in environment variables to improve performance and reduce costs.

Test Coverage PyPI License Requirements Status Code Style Code Formatter Test Framework

We built this library in Hackt to support local development of internal projects and public apps in our catalog. Learn more about other open-source libraries on lib.hackt.app.


Runtime support

Python Logo

This is the Python runtime library, compatible with Python3.6+. Currently there isn't support for other runtimes. A Javascript/nodejs version is planned, but unscheduled.


Installation and Usage

Install with pip: pip install get-aws-secret

from get_aws_secret import get_secret

secret_val = get_secret('MY_SECRET_DATA')

The get_secret method also accepts a secret ARN:

secret_val = get_secret('arn:aws:secretsmanager:us-east-1:123456789012:secret:MY_SECRET_DATA')

Auto-load JSON strings

Secrets with JSON-like strings can be automatically loaded by setting load_json argument to True. The default behavior is False (i.e. always returns a string, without attempting to load any JSON).

from get_aws_secret import get_secret

# MY_SECRET_JSON_DATA = '{"data": "foobar"}' (str)

secret_val = get_secret('MY_SECRET_JSON_DATA', load_json=True)

# Returns a dict, instead of str: {'data': 'foobar'}

If load_json=True and the secret value isn't a JSON-compatible string, it returns the string without raising exceptions:

from get_aws_secret import get_secret

# MY_SECRET_PLAIN_DATA = 'just plain text' (str)

secret_val = get_secret('MY_SECRET_PLAIN_DATA', load_json=True)

# Returns a string: 'just plain text'

Memoization

The library can automatically set the secret as environment variable and retrieve from there in subsequent requests.

from get_aws_secret import get_secret

secret_val = get_secret('MY_SECRET_DATA', memoize=True)

In the first run, setting memoize=True is equivalent to running os.environ['MY_SECRET_DATA'] = secret_val after retrieving the secret.

In subsequent calls with memoize=True, the function will find MY_SECRET_DATA in os.environ and retrieve it locally . In other words, it won't hit the AWS endpoints (saves a few milliseconds and cents).

It's possible to set the behavior of memoize=True (in fact, any other get_value argument) as the default for all requests without explicit argument:

from get_aws_secret import get_secret_fix_args

get_secret = get_secret_fix_args(memoize=True)

secret_val = get_secret('MY_SECRET_DATA')

Custom boto3.client

Optionally, set a custom boto3.client with:

import boto3
from get_aws_secret import get_secret_fix_args

client = boto3.client('secretsmanager', region_name='my-region-1')

get_secret = get_secret_fix_args(client=client)

secret_val = get_secret('MY_SECRET_DATA')

License

This library is licensed under Apache 2.0.


Contributor guide

Please check out guidelines in the repository wiki.


Acknowledgements

Published & supported by Hackt App

Logos provided by Clearbit