-
Notifications
You must be signed in to change notification settings - Fork 0
add secret plugin for multiple providers aws, gcp, azure #82
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from 2 commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,145 @@ | ||
| .. _secrets-plugins: | ||
|
|
||
| Secrets Plugins | ||
| ================ | ||
|
|
||
| Scaffold provides Hydra plugins for seamless integration with cloud secret managers. These plugins register custom OmegaConf resolvers that fetch secrets on-demand during configuration resolution, allowing secure injection of secrets into your configs without hardcoding values. | ||
|
|
||
| **Supported Providers:** | ||
|
|
||
| * AWS Secrets Manager (``aws_secrets`` extra) | ||
| * Google Cloud Secret Manager (``gcp_secrets`` extra) | ||
| * Azure Key Vault (``azure_secrets`` extra) | ||
|
|
||
| Features | ||
| -------- | ||
|
|
||
| * **Lazy Evaluation:** Secrets are fetched only when accessed, not at config load time | ||
| * **Automatic Registration:** Plugins auto-register on Hydra initialization via plugin discovery | ||
| * **JSON Support:** Extract specific keys from JSON-formatted secrets | ||
| * **No Hardcoded Values:** Config files show only resolver strings, never actual secrets | ||
| * **Type Safe:** Proper error messages for misconfiguration | ||
|
|
||
| Installation | ||
| ------------ | ||
|
|
||
| Install the cloud provider extra you need: | ||
|
|
||
| .. code-block:: bash | ||
|
|
||
| # AWS | ||
| pip install mxm-scaffold[aws_secrets] | ||
|
|
||
| # Google Cloud | ||
| pip install mxm-scaffold[gcp_secrets] | ||
|
|
||
| # Azure | ||
| pip install mxm-scaffold[azure_secrets] | ||
|
|
||
| Or install all secrets plugins: | ||
|
|
||
| .. code-block:: bash | ||
|
|
||
| pip install mxm-scaffold[all] | ||
|
|
||
| Google Cloud Secret Manager (GCP) | ||
| ---------------------------------- | ||
|
|
||
| The GCP plugin provides a ``gcp_secret`` resolver for accessing secrets from GCP Secret Manager. | ||
|
|
||
| Configuration in YAML | ||
| """""""""""""""""""""" | ||
|
|
||
| .. code-block:: yaml | ||
|
|
||
| database: | ||
| # Simple string secret | ||
| password: "${gcp_secret:my-project-id/db-password}" | ||
|
|
||
| # Extract a key from a JSON secret | ||
| username: "${gcp_secret:my-project-id/db-credentials,username}" | ||
| api_key: "${gcp_secret:my-project-id/db-credentials,api_key}" | ||
|
|
||
| auth: | ||
| # Using full resource name | ||
| token: "${gcp_secret:projects/my-project-123/secrets/auth-token/versions/latest}" | ||
|
|
||
| Authentication | ||
| """"""""""""""" | ||
|
|
||
| GCP Secret Manager uses Application Default Credentials. Ensure your environment is configured: | ||
|
|
||
| .. code-block:: bash | ||
|
|
||
| export GOOGLE_APPLICATION_CREDENTIALS=/path/to/service-account-key.json | ||
|
|
||
| Testing with Real GCP Resources | ||
| """"""""""""""""""""""""""""""""" | ||
|
|
||
| To test the GCP plugin with actual secrets: | ||
|
|
||
| 1. **Install dependencies:** | ||
|
|
||
| .. code-block:: bash | ||
|
|
||
| uv sync --extra gcp_secrets | ||
|
|
||
| 2. **Update the test configuration** at ``test/hydra_plugins/manual/gcp_secret_real_case.yaml``: | ||
|
|
||
| Replace ``my-project-id`` and secret names with your actual GCP project ID and secret names: | ||
|
|
||
| .. code-block:: yaml | ||
|
|
||
| secrets: | ||
| service_token: "${gcp_secret:YOUR-GCP-PROJECT-ID/your-secret-name}" | ||
| db_username: "${gcp_secret:YOUR-GCP-PROJECT-ID/db-credentials,username}" | ||
| db_password: "${gcp_secret:YOUR-GCP-PROJECT-ID/db-credentials,password}" | ||
|
|
||
| 3. **Set up GCP credentials:** | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. missing a step on how to put the secret into the gcp secret manager first, fine if we just link there to official docs, but would be nice to have it here.
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I don't think make sense to put it here |
||
|
|
||
| .. code-block:: bash | ||
|
|
||
| export GOOGLE_APPLICATION_CREDENTIALS=/path/to/service-account-key.json | ||
|
|
||
| 4. **Run the integration test:** | ||
|
|
||
| .. code-block:: bash | ||
|
|
||
| python test/hydra_plugins/manual/run_gcp_secret_real_case.py | ||
|
|
||
| This will resolve all ``gcp_secret`` interpolations against real GCP Secret Manager. By default, secret values are redacted for safety. To see full values (on secure terminals only): | ||
|
|
||
| .. code-block:: bash | ||
|
|
||
| python test/hydra_plugins/manual/run_gcp_secret_real_case.py --show-values | ||
|
|
||
| AWS Secrets Manager | ||
| -------------------- | ||
|
|
||
| The AWS plugin provides an ``aws_secret`` resolver for accessing secrets from AWS Secrets Manager. | ||
|
|
||
| Configuration in YAML | ||
| """""""""""""""""""""" | ||
|
|
||
| .. code-block:: yaml | ||
|
|
||
| database: | ||
| password: "${aws_secret:my-database-secret}" | ||
| username: "${aws_secret:my-database-secret,username}" | ||
|
|
||
| See ``src/hydra_plugins/aws_secrets_plugin/README.md`` for detailed documentation. | ||
|
|
||
| Azure Key Vault | ||
| ---------------- | ||
|
|
||
| The Azure plugin provides an ``azure_secret`` resolver for accessing secrets from Azure Key Vault. | ||
|
|
||
| Configuration in YAML | ||
| """""""""""""""""""""" | ||
|
|
||
| .. code-block:: yaml | ||
|
|
||
| database: | ||
| password: "${azure_secret:my-vault,my-secret}" | ||
|
|
||
| See ``src/hydra_plugins/azure_secrets_plugin/README.md`` for detailed documentation. | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,55 @@ | ||
| # AWS Secrets Manager Plugin | ||
|
|
||
| This plugin registers an OmegaConf custom resolver for AWS Secrets Manager, enabling secure lazy-loaded secret injection into Hydra configurations. | ||
|
|
||
| ## Installation | ||
|
|
||
| ### Option 1: Install with optional dependency (recommended) | ||
|
|
||
| ```bash | ||
| pip install mxm-scaffold[aws_secrets] | ||
| ``` | ||
|
|
||
| ### Option 2: Install SDK directly | ||
|
|
||
| ```bash | ||
| pip install boto3 | ||
| ``` | ||
|
|
||
| ## Usage in YAML Configs | ||
|
|
||
| ```yaml | ||
| database: | ||
| password: "${aws_secret:secret_name, key_name}" | ||
| host: "prod-db.example.com" | ||
| ``` | ||
|
|
||
| ### Arguments | ||
|
|
||
| - `secret_id`: The name or ARN of the secret in AWS Secrets Manager | ||
| - `key` (optional): If the secret is JSON-formatted, extract this specific key from it | ||
|
|
||
| ## Examples | ||
|
|
||
| ### Simple String Secret | ||
|
|
||
| ```yaml | ||
| api: | ||
| token: "${aws_secret:prod/api/token}" | ||
| ``` | ||
|
|
||
| ### JSON Secret with Key Extraction | ||
|
|
||
| ```yaml | ||
| database: | ||
| password: "${aws_secret:prod/db/credentials, password}" | ||
| username: "${aws_secret:prod/db/credentials, username}" | ||
| ``` | ||
|
|
||
| ## Features | ||
|
|
||
| - **Lazy Evaluation**: Secrets are fetched only when accessed, not at config load time | ||
| - **No Hardcoded Values**: Config files show only the resolver string, never the actual secret | ||
| - **Automatic Registration**: The plugin auto-registers on Hydra initialization | ||
| - **JSON Support**: Extract specific keys from JSON-formatted secrets | ||
| - **Type Safe**: Proper error messages for misconfiguration |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| """AWS Secrets Manager resolver for Hydra. | ||
|
|
||
| Registers a custom OmegaConf resolver for AWS Secrets Manager to enable secure, | ||
| lazy-loaded secret injection into Hydra configurations. | ||
| """ |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,65 @@ | ||
| """AWS Secrets Manager resolver plugin. | ||
|
|
||
| This module automatically registers an OmegaConf resolver for AWS Secrets Manager | ||
| when Hydra initializes. Secrets are fetched lazily on-demand. | ||
|
|
||
| Usage in YAML configs: | ||
| password: "${aws_secret:secret_name, key_name}" | ||
| """ | ||
| import json | ||
| from typing import Optional | ||
|
|
||
| from omegaconf import OmegaConf | ||
|
|
||
|
|
||
| def get_aws_secret(secret_id: str, key: Optional[str] = None) -> str: | ||
| """Fetch a secret from AWS Secrets Manager. | ||
|
|
||
| Args: | ||
| secret_id: The name or ARN of the secret in Secrets Manager. | ||
| key: Optional key if the secret is JSON. If provided, returns the value | ||
| for that key from the JSON secret string. | ||
|
|
||
| Returns: | ||
| The secret value as a string. | ||
|
|
||
| Raises: | ||
| ImportError: If boto3 is not installed. | ||
| Exception: If the secret cannot be retrieved from AWS. | ||
| """ | ||
| try: | ||
| import boto3 | ||
| except ImportError: | ||
| raise ImportError( | ||
| "boto3 is not installed. Install it with: pip install boto3" | ||
| ) | ||
|
|
||
| client = boto3.client("secretsmanager") | ||
| response = client.get_secret_value(SecretId=secret_id) | ||
|
|
||
| secret_str = response.get("SecretString") or response.get("SecretBinary", "") | ||
|
|
||
| if key: | ||
| try: | ||
| secret_dict = json.loads(secret_str) | ||
| return secret_dict.get(key, "") | ||
| except json.JSONDecodeError: | ||
| raise ValueError( | ||
| f"Secret '{secret_id}' is not valid JSON. " | ||
| f"Cannot extract key '{key}'." | ||
| ) | ||
|
|
||
| return secret_str | ||
|
|
||
|
|
||
| def register_aws_resolver() -> None: | ||
| """Register the AWS Secrets Manager resolver with OmegaConf. | ||
|
|
||
| This function is called automatically when Hydra initializes due to the | ||
| plugin discovery mechanism. | ||
| """ | ||
| OmegaConf.register_new_resolver("aws_secret", get_aws_secret, replace=True) | ||
|
|
||
|
|
||
| # Automatically register resolver when this module is imported | ||
| register_aws_resolver() |
Uh oh!
There was an error while loading. Please reload this page.