/vaultpy

Load Vault-injected secrets into Python apps and track their usage.

Primary LanguagePython

Vaultpy

Parse injected Vault secrets and track their usage with Datadog.

Requirements

Setup

For production, use the VAULTPY_SECRETS_PATH environment variable to set the path to the secrets that are injected by the Vault Agent in Kubernetes. This defaults to /vault/secrets/secrets. You will also need to set VAULTPY_ENABLE_VAULT (default false) to use injected secrets rather than loading them from a de_secrets module.

For local development, a de_secrets.py can be used to load secrets in a format not unlike Django settings.

Lastly you can toggle secret access tracking with Datadog via VAULTPY_DATADOG_ENABLE. This defaults to true because we want this in production, but it ought to be disabled in development environments.

Usage

Import vault.secrets and then access the loaded secrets using by accessing dynamic properties loaded into the secrets object (i.e. secrets.FOO).

Example of usage in a settings file:

from vault import secrets

FOO = secrets.FOO
BAR = getattr(secrets, "BAR", "")
BAZ = getattr(secrets, "BAZ")