{"id":16288026,"url":"https://github.com/jdelic/12factor-vault","last_synced_at":"2025-03-16T13:31:28.129Z","repository":{"id":43367792,"uuid":"68761687","full_name":"jdelic/12factor-vault","owner":"jdelic","description":"Integration helpers for Hashicorp Vault with 12factor and Django","archived":false,"fork":false,"pushed_at":"2022-08-21T21:46:31.000Z","size":56,"stargazers_count":43,"open_issues_count":1,"forks_count":5,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-02-27T09:49:32.781Z","etag":null,"topics":["authentication","database","django","hashicorp-vault","secret-distribution"],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jdelic.png","metadata":{"files":{"readme":"README.rst","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2016-09-20T23:35:07.000Z","updated_at":"2024-10-17T06:18:00.000Z","dependencies_parsed_at":"2022-07-08T01:55:13.226Z","dependency_job_id":null,"html_url":"https://github.com/jdelic/12factor-vault","commit_stats":null,"previous_names":[],"tags_count":23,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jdelic%2F12factor-vault","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jdelic%2F12factor-vault/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jdelic%2F12factor-vault/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jdelic%2F12factor-vault/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jdelic","download_url":"https://codeload.github.com/jdelic/12factor-vault/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243817270,"owners_count":20352529,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authentication","database","django","hashicorp-vault","secret-distribution"],"created_at":"2024-10-10T19:47:04.656Z","updated_at":"2025-03-16T13:31:27.832Z","avatar_url":"https://github.com/jdelic.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"Vault 12factor and Django integration\n=====================================\n\nThis project provides helper classes for integrating\n`Hashicorp Vault \u003chttps://vaultproject.io/\u003e`__ with your Python projects and\nDjango.\n\n**Please note that this is still under active development and APIs are subject\nto change.**\n\n\nInstallation\n------------\nThis has been uploaded to the Cheeseshop aka Pypi as\n`12factor-vault \u003chttps://pypi.python.org/pypi/12factor-vault\u003e`__. So just add\n``12factor-vault`` to your ``requirements.txt`` or ``setup.py``.\n\n``pip install 12factor-vault`` also works.\n\n\nEnvironment variables\n+++++++++++++++++++++\n============================ ========================= ======================\nEnvironment Variable Vault auth backend Direct configuration\n static method on\n BaseVaultAuthenticator\n============================ ========================= ======================\nVAULT_TOKEN Token authentication token(str)\nVAULT_APPID, VAULT_USERID App-id authenticaion app_id(str, str)\nVAULT_ROLEID, VAULT_SECRETID Approle authentication approle(str, str, str,\n bool)\nVAULT_SSLCERT, VAULT_SSLKEY SSL Client authentication ssl_client_cert(str,\n str)\n============================ ========================= ======================\n\nThe Django example below uses the following environment variables:\n\n=========================== ==================================================\nEnvironment Variable Description\n=========================== ==================================================\nVAULT_DATABASE_PATH The path to Vault's credential-issuing backend\nVAULT_CA The CA issuing Vault's HTTPS SSL certificate (for\n CA pinning)\nDATABASE_NAME Name of the database to connect to on the database\n server.\nDATABASE_OWNERROLE The PostgreSQL role to use for ``SET ROLE`` after\n connecting to the database\n=========================== ==================================================\n\nGeneral usage\n-------------\nBasically after configuring a ``BaseVaultAuthenticator`` instance which creates\nauthenticated Vault clients (relying on the excellent\n`hvac library \u003chttps://github.com/ianunruh/hvac\u003e`__) you can use that to create\n``VaultCredentialProvider`` instances which manage leases and renew credentials\nas needed (e.g. database credentials managed by one of Vault's *secrets*\nbackends).\n\n``VaultAuth12Factor`` is a subclass of ``BaseVaultAuthenticator`` that reads\nall necessary configuration from environment variables.\n\n\nDjango\n------\nIntegrating with Django requires a small monkeypatch that retries failed\ndatabase connections after refreshing the database credentials from Vault. The\n``vault12factor`` Django App will install that patch automatically. You also\nhave to wrap your database settings dict in a\n``DjangoAutoRefreshDBCredentialsDict`` instance that knows hot to refresh\ndatabase credentials from Vault.\n\n``vault12factor`` will check if an instance of\n``DjangoAutoRefreshDBCredentialsDict`` is configured in ``settings.DATABASES``\nbefore monkey-patching Django. So if you want to use ``vault12factor`` but\nconfigure your databases in separate Django apps or other things that this code\ncan't detect, you will want to call ``vault12factor.monkeypatch_django()``\nyourself.\n\nHere is an example for integrating this with Django, using Vault to get\ndatabase credentials. When using PostgreSQL you will also want to look at\n`django-postgresql-setrole \u003chttps://github.com/jdelic/django-postgresql-setrole\u003e`__.\n\n.. code-block:: python\n\n # in settings.py\n INSTALLED_APPS += ['django_dbconn_retry', 'vault12factor',]\n\n from vault12factor import \\\n VaultCredentialProvider, \\\n VaultAuth12Factor, \\\n DjangoAutoRefreshDBCredentialsDict\n\n if DEBUG and not VaultAuth12Factor.has_envconfig():\n SECRET_KEY = \"secretsekrit\" # FOR DEBUG ONLY!\n DATABASES = {\n 'default': {\n 'ENGINE': 'django.db.backends.sqlite3',\n 'NAME': 'authserver.sqlite3',\n }\n }\n else:\n if DEBUG:\n SECRET_KEY = \"secretsekrit\" # FOR DEBUG ONLY!\n\n VAULT = VaultAuth12Factor.fromenv()\n CREDS = VaultCredentialProvider(\"https://vault.local:8200/\", VAULT,\n os.getenv(\"VAULT_DATABASE_PATH\",\n \"db-mydatabase/creds/fullaccess\"),\n os.getenv(\"VAULT_CA\", None), True,\n DEBUG)\n\n DATABASES = {\n 'default': DjangoAutoRefreshDBCredentialsDict(CREDS, {\n 'ENGINE': 'django.db.backends.postgresql',\n 'NAME': os.getenv(\"DATABASE_NAME\", \"mydatabase\"),\n 'USER': CREDS.username,\n 'PASSWORD': CREDS.password,\n 'HOST': '127.0.0.1',\n 'PORT': '5432',\n # requires django-postgresql-setrole\n 'SET_ROLE': os.getenv(\"DATABASE_OWNERROLE\", \"mydatabaseowner\")\n }),\n }\n\n\nLicense\n=======\n\nCopyright (c) 2016-2017, Jonas Maurus\nAll rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are met:\n\n1. Redistributions of source code must retain the above copyright notice, this\n list of conditions and the following disclaimer.\n\n2. Redistributions in binary form must reproduce the above copyright notice,\n this list of conditions and the following disclaimer in the documentation\n and/or other materials provided with the distribution.\n\n3. Neither the name of the copyright holder nor the names of its contributors\n may be used to endorse or promote products derived from this software\n without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS IS\" AND\nANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED\nWARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE\nDISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE\nFOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL\nDAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR\nSERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER\nCAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,\nOR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjdelic%2F12factor-vault","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjdelic%2F12factor-vault","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjdelic%2F12factor-vault/lists"}