https://github.com/sylvainmouquet/pydantic2-settings-vault

A Pydantic v2 settings extension for secure configuration management using HashiCorp Vault OpenSource (OSS) and Enterprise
https://github.com/sylvainmouquet/pydantic2-settings-vault

configuration enterprise hashicorp opensource pydantic python secrets-management security settings vault

Last synced: 3 months ago
JSON representation

A Pydantic v2 settings extension for secure configuration management using HashiCorp Vault OpenSource (OSS) and Enterprise

• Host: GitHub
• URL: https://github.com/sylvainmouquet/pydantic2-settings-vault
• Owner: sylvainmouquet
• License: mit
• Created: 2024-10-20T08:13:05.000Z (4 months ago)
• Default Branch: main
• Last Pushed: 2024-11-09T07:15:18.000Z (3 months ago)
• Last Synced: 2024-11-09T08:20:14.281Z (3 months ago)
• Topics: configuration, enterprise, hashicorp, opensource, pydantic, python, secrets-management, security, settings, vault
• Language: Python
• Homepage: https://pypi.org/project/pydantic2-settings-vault/
• Size: 230 KB
• Stars: 0
• Watchers: 1
• Forks: 0
• Open Issues: 1
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        
# Pydantic2-Settings-Vault

Pydantic2-Settings-Vault is a simple extension of Pydantic Settings to collect secrets from HashiCorp Vault OpenSource (OSS) and Enterprise

### Demonstration:

```python

from functools import lru_cache

from threading import Lock

from typing import Tuple, Type

from pydantic import Field, SecretStr

from pydantic_settings import (

    BaseSettings,

    PydanticBaseSettingsSource,

)

from pydantic2_settings_vault import VaultConfigSettingsSource

class AppSettings(BaseSettings):

    MY_SECRET: SecretStr = Field(

        ...,

        json_schema_extra={

            "vault_secret_path": "secret/data/test",

            "vault_secret_key": "FOO",  # pragma: allowlist secret

        },

    )

    

    @classmethod

    def settings_customise_sources(

        cls,

        settings_cls: Type[BaseSettings],

        init_settings: PydanticBaseSettingsSource,

        env_settings: PydanticBaseSettingsSource,

        dotenv_settings: PydanticBaseSettingsSource,

        file_secret_settings: PydanticBaseSettingsSource,

    ) -> Tuple[PydanticBaseSettingsSource, ...]:

        return (

            init_settings,

            env_settings,

            dotenv_settings,

            VaultConfigSettingsSource(settings_cls=settings_cls),

        )

# The connection to Vault is done via HTTPS with AppRole authentication

import os

os.environ['VAULT_URL'] = ""

os.environ['VAULT_ROLE_ID'] = ""

os.environ['VAULT_SECRET_ID'] = ""

# Only with Enterprise edition

os.environ['VAULT_NAMESPACE'] = ""

### Usage

app_settings_lock = Lock()

@lru_cache

def get_app_settings() -> AppSettings:

    with app_settings_lock:

        return AppSettings()  # type: ignore

```

### Internal interactions:

```mermaid

sequenceDiagram

    participant A as Your Application

    participant B as BaseSettings

    participant V as Vault

    note over A,B: 1. Retrieve settings

    A->>B: get_app_settings()

    note over B: 2. Collect secrets paths

    B->>B: foreach fields, get the secret path and keep unique value

    note over B,V: 3. HTTPS Asynchronously fetch secrets by path from Vault

    B->>V: get_secrets(secrets/data/)

    B->>V: get_secrets(secrets/data/)

    note over V,B: 4. Vault returns secrets

    V->>B: return secrets for secrets/data/

    V->>B: return secrets for secrets/data/

    note over B: 5. Fill fields with secrets values

    B->>B: SECRET_ONE => secrets/data/[SECRET_ONE] 
 SECRET_TWO => secrets/data/[SECRET_TWO] 
 SECRET_THREE => secrets/data/[SECRET_THREE]

    note over B,A: 6. Return settings

    B->>A: settings with variables and secrets

```


## Table of Contents

- [Pydantic2-Settings-Vault](#Pydantic2-Settings-Vault)

  - [Table of Contents](#table-of-contents)

  - [Description](#description)

  - [Installation](#installation)

  - [License](#license)

  - [Contact](#contact)

## Description

Pydantic2-Settings-Vault is a extension for Pydantic Settings that enables secure configuration management by integrating with HashiCorp Vault. This library supports both the open-source (OSS) and Enterprise versions of Vault, providing a seamless way to retrieve and manage secrets within your Pydantic-based applications. By leveraging Vault's robust security features, Pydantic2-Settings-Vault allows developers to easily incorporate secure secret management practices into their Python projects, enhancing overall application security and simplifying the handling of sensitive configuration data.

## Installation

```bash

# Install the dependency

pip install pydantic2-settings-vault

uv add pydantic2-settings-vault

poetry add pydantic2-settings-vault

```

## License

Pydantic2-Settings-Vault is released under the MIT License. See the [LICENSE](LICENSE) file for more details.

## Contact

For questions, suggestions, or issues related to Pydantic2-Settings-Vault, please open an issue on the GitHub repository.