add secret plugin for multiple providers aws, gcp, azure#82
Conversation
adrianloy
left a comment
There was a problem hiding this comment.
Docs can be clearer on how to make the resolve work if we execute within the cluster. Overall great idea.
|
|
||
| MASKED_VALUE = "***MASKED***" | ||
|
|
||
| _SENSITIVE_KEY_PATTERN = re.compile( |
There was a problem hiding this comment.
would mention the logic of this in the docs
There was a problem hiding this comment.
I think is self described
| db_username: "${gcp_secret:YOUR-GCP-PROJECT-ID/db-credentials,username}" | ||
| db_password: "${gcp_secret:YOUR-GCP-PROJECT-ID/db-credentials,password}" | ||
|
|
||
| 3. **Set up GCP credentials:** |
There was a problem hiding this comment.
missing a step on how to put the secret into the gcp secret manager first, fine if we just link there to official docs, but would be nice to have it here.
There was a problem hiding this comment.
I don't think make sense to put it here
|
Would it make sense to add a logging.Filter to the logger that automatically redacts secrets? I'd imagine it could prevent user error (i.e. logging.debug(cfg)). |
Wondering if the masking is enough 🤔 |
Description
Overview
This PR introduces three independent Hydra plugins that enable secure, lazy-loaded secret injection from AWS Secrets Manager, GCP Secret Manager, and Azure Key Vault directly into Hydra configurations.
Problem Statement
Previously, managing secrets in Hydra configurations was cumbersome:
Solution
Three new modular plugins that:
Changes
New Plugins
1. AWS Secrets Manager Plugin
src/hydra_plugins/aws_secrets_plugin/${aws_secret:secret_name, key_name}boto3pip install mxm-scaffold[aws_secrets]Example:
2. GCP Secret Manager Plugin
src/hydra_plugins/gcp_secrets_plugin/${gcp_secret:project_id/secret_name, key_name}google-cloud-secret-managerpip install mxm-scaffold[gcp_secrets]Example:
3. Azure Key Vault Plugin
src/hydra_plugins/azure_secrets_plugin/${azure_secret:vault_name, secret_name}azure-identity,azure-keyvault-secretspip install mxm-scaffold[azure_secrets]Example:
Configuration Changes
pyproject.toml:
aws_secrets: boto3gcp_secrets: google-cloud-secret-managerazure_secrets: azure-identity, azure-keyvault-secrets[project.entry-points."hydra_plugins"]Testing
Location:
test/hydra_plugins/test_resolvers.pyTests verify:
Run tests:
Key Features
Lazy Evaluation
Secrets are fetched only when accessed, not at config load time:
No Hardcoded Values
Config files show only the resolver string:
JSON Key Extraction
Extract specific keys from JSON secrets:
Independent Installation
Users only install what they need:
Usage Example
Config file (
conf/config.yaml):Authentication
AWS
Uses standard boto3 credential chain (IAM role, environment variables, ~/.aws/credentials, etc.)
GCP
Uses Application Default Credentials (service account key via
GOOGLE_APPLICATION_CREDENTIALSenv var or compute instance identity)Azure
Uses
DefaultAzureCredential(environment variables, managed identity, Azure CLI, etc.)Files Changed
New directories:
src/hydra_plugins/aws_secrets_plugin/(3 files)src/hydra_plugins/gcp_secrets_plugin/(3 files)src/hydra_plugins/azure_secrets_plugin/(3 files)test/hydra_plugins/(1 test file)Modified files:
pyproject.toml: Added optional dependencies and entry pointsBreaking Changes
None. These are additive features.
Migration Guide
No migration needed. Existing code continues to work unchanged.
Testing Recommendations
Unit Tests
Integration Tests (with real secrets)
Set up a secret in each cloud provider and test end-to-end:
AWS:
aws secretsmanager create-secret --name test/my-secret --secret-string '{"key": "value"}'GCP:
Azure:
az keyvault secret set --vault-name my-vault --name test-secret --value my-secret-valueFixes # issue
Type of change
Checklist: