Python library help to use Berglas, to encrypt and to decrypt the secrets stored in a GCP storage.
See Berglas for details about bucket bootstrapping and secret creation
You have to get the library
pip install berglas-python
Then use it in the same way as Go library
The library berglas_python library is able to:
- Encrypt and upload the secrets
- Download and decrypt any secrets that match the Berglas environment variable reference syntax
- Replace the value for the environment variable with the decrypted secret
Here an example of usage
import os
import berglas_python as berglas
project_id = os.environ.get("MY-PROJECT")
# This higher-level API parses the secret reference at the specified
# environment variable, downloads and decrypts the secret, and replaces the
# contents of the given environment variable with the secret result.
berglas.Replace(project_id, "MY-SECRET")
# This lower-level API parses the secret reference, downloads and decrypts
# the secret, and returns the result. This is useful if you need to mutate
# the result.
my_secret = os.environ.get("MY-SECRET")
plaintext = berglas.Resolve(project_id, my_secret)
os.environ.unsetenv("MY-SECRET")
os.environ.setdefault("MY-SECRET", plaintext)
# This is lower-level API encrypts the plaintext string and uploads the blob
berglas.Encrypt(project_id, 'MY-BUCKET/MY-SECRET-FILE', 'STRING-TO-ENCRYPT')
This library is licensed under Apache 2.0. Full license text is available in LICENSE.