pydantic-kms-secrets

Release 0.3.0

Utility to decrypt and encrypt secrets using AWS KMS keys that is compatible with pydantic models

Homepage PyPI Python

Keywords
pydantic, aws, secrets, kms, secrets-management, environment-variables, python
License
MIT
Install
pip install pydantic-kms-secrets==0.3.0

Documentation

pydantic-kms-secrets

PyPI version Upload Python Package codecov

Utility to decrypt and encrypt secrets using AWS KMS keys that also integrates with pydantic models which allows for encrypted values to be stored in .env files and be decrypted at runtime.

Installation

From PyPi:

$ pip install pydantic-kms-secrets

Usage

CLI

Encrypt a secret:

$ pks -k your-kms-key-id -v my-secret-password -e

Decrypt a secret:

$ pks -k your-kms-key-id -v your-encrypted-secret -d

Help docs:

$ pks --help
usage: pks [-h] [-k KEY_ID] -v VALUE [-e] [-d]

Tool to encrypt and decrypt secrets via a KMS key

optional arguments:
  -h, --help            show this help message and exit
  -k KEY_ID, --key-id KEY_ID
                        ID of the KMS key to use
  -v VALUE, --value VALUE
                        The value to be encrypted
  -e, --encrypt         Set to encrypt value
  -d, --decrypt         Set to decrypt value

Pydantic

Pydantic KMS Secrets is able to integrate and add functionality on top of Pydantic's dotenv extension by allowing you to store encrypted values in your .env files and decrypt them at runtime. A basic implementation would look something like:

Pydantic Settings Model

from pydantic import BaseSettings
from pydantic_kms_secrets import KMSSecretStr, decrypt_kms_secrets


class Settings(BaseSettings):
    env: str
    secrets_kms_key_id: str  # This model attribute must exist to decrypt secrets
    kms_secret_1: KMSSecretStr
    kms_secret_2: KMSSecretStr

    class Config:
        env_file = ".env"

# Don't forget to call decrypt_kms_secrets, if you don't the secrets will not be decrypted
settings = decrypt_kms_secrets(Settings())

.env File

ENV="prod"

SECRETS_KMS_KEY_ID="your-kms-key-id"  # This environment variable must be set to decrypt secrets
KMS_SECRET_1="my-first-encrypted-secret"
KMS_SECRET_2="my-second-encrypted-secret"

KMSSecretStr Class

The KMSSecretStr class is almost identical to the SecretStr type in pydantic.

# This example uses the settings value from the python example above

# Standard access methods will not display the secret
print(settings)
#> env='prod' secrets_kms_key_id='your-kms-key-id' kms_secret_1=KMSSecretStr('**********') kms_secret_2=KMSSecretStr('**********')
print(settings.kms_secret_1)
#> **********
print(settings.dict())
"""
{
    'env': 'prod',
    'secret_kms_key_id': 'your-kms-key-id',
    'kms_secret_1': KMSSecretStr('**********'),
    'kms_secret_2': KMSSecretStr('**********'),
}
"""
print(settings.json())
#> {"env": "prod", "secret_kms_key_id": "your-kms-key-id", "kms_secret_1": "**********", "kms_secret_2": "**********"}

# Use get_secret_value method to see the secret's content.
print(settings.kms_secret_1.get_secret_value())
#> my-first-encrypted-secret
print(settings.kms_secret_2.get_secret_value())
#> my-second-encrypted-secret

Stats

Dependencies
6
Dependent packages
0
Dependent repositories
0
Total releases
4
Latest release
First release
Stars
0
Forks
0
Watchers
0
Contributors
1
Repository size
40 KB
SourceRank
7

Development practices

Source repo 2FA enabled
TEXT!
Package manager 2FA enabled
TEXT!
Is security responsive
TEXT!
Dependencies are managed
TEXT!
Issue-free release available
TEXT!
Succession plan available
TEXT!
Package manager 2FA enabled
TEXT!

The Tidelift Subscription provides access to a continuously curated stream of human-researched and maintainer-verified data on open source packages and their licenses, releases, vulnerabilities, and development practices.

Learn more

Releases

0.3.0
0.2.0
0.1.1
0.1.0

Contributors

Nick Plutt


See all contributors

Something wrong with this page? Make a suggestion

Export .ABOUT file for this package

Last synced: 2021-02-20 00:35:02 UTC

Login to resync this project