Get AWS Secret
Simplify retrieval of secrets from AWS SecretsManager. Optionally auto-memoize secrets in environment variables to improve performance and reduce costs.
We built this library in Hackt to support local development of internal projects and public apps in our catalog. Learn more about other open-source libraries on lib.hackt.app.
Runtime support
This is the Python runtime library, compatible with Python3.6+. Currently there isn't support for other runtimes. A Javascript/nodejs version is planned, but unscheduled.
Installation and Usage
Install with pip: pip install get-aws-secret
from get_aws_secret import get_secret
secret_val = get_secret('MY_SECRET_DATA')
The get_secret
method also accepts a secret ARN:
secret_val = get_secret('arn:aws:secretsmanager:us-east-1:123456789012:secret:MY_SECRET_DATA')
Auto-load JSON strings
Secrets with JSON-like strings can be automatically loaded by setting load_json
argument to True
. The default behavior is False
(i.e. always returns a string, without attempting to load any JSON).
from get_aws_secret import get_secret
# MY_SECRET_JSON_DATA = '{"data": "foobar"}' (str)
secret_val = get_secret('MY_SECRET_JSON_DATA', load_json=True)
# Returns a dict, instead of str: {'data': 'foobar'}
If load_json=True
and the secret value isn't a JSON-compatible string, it returns the string without raising exceptions:
from get_aws_secret import get_secret
# MY_SECRET_PLAIN_DATA = 'just plain text' (str)
secret_val = get_secret('MY_SECRET_PLAIN_DATA', load_json=True)
# Returns a string: 'just plain text'
Memoization
The library can automatically set the secret as environment variable and retrieve from there in subsequent requests.
from get_aws_secret import get_secret
secret_val = get_secret('MY_SECRET_DATA', memoize=True)
In the first run, setting memoize=True
is equivalent to running os.environ['MY_SECRET_DATA'] = secret_val
after retrieving the secret.
In subsequent calls with memoize=True
, the function will find MY_SECRET_DATA
in os.environ
and retrieve it locally . In other words, it won't hit the AWS endpoints (saves a few milliseconds and cents).
It's possible to set the behavior of memoize=True
(in fact, any other get_value
argument) as the default for all requests without explicit argument:
from get_aws_secret import get_secret_fix_args
get_secret = get_secret_fix_args(memoize=True)
secret_val = get_secret('MY_SECRET_DATA')
boto3.client
Custom Optionally, set a custom boto3.client
with:
import boto3
from get_aws_secret import get_secret_fix_args
client = boto3.client('secretsmanager', region_name='my-region-1')
get_secret = get_secret_fix_args(client=client)
secret_val = get_secret('MY_SECRET_DATA')
License
This library is licensed under Apache 2.0.
Contributor guide
Please check out guidelines in the repository wiki.
Acknowledgements
Published & supported by Hackt App
Logos provided by Clearbit