grove.secrets package¶

Provides Grove secret storage using supported backends.

class grove.secrets.BaseSecret[source]¶

Bases: ABC

abstract get(path: str) → str[source]¶

Gets the secret with the given identifier from the given backend.

Parameters:: path – The path to the credential to get.
Returns:: The decoded plain-text credential for use by connectors.

load(configurations: List[ConnectorConfig]) → List[ConnectorConfig][source]¶

Gets secrets from the backend, inserting them into configuration objects.

This method should not be implemented by secrets handlers, as the operations should be identical between implementations (calls to get()).

Parameters:: configurations – A list of ConnectorConfig objects from the configuration backend.
Returns:: A list of ConnectorConfig objects with secrets included.

Submodules¶

grove.secrets.aws_ssm module¶

Grove AWS SSM parameter store secret handler.

Bases: BaseSettings

Defines environment variables used to configure the AWS SSM handler.

This should also include any appropriate default values for fields which are not required.

class Config[source]¶

Bases: object

Allow environment variable override of configuration fields.

This also enforce a prefix for all environment variables for this handler. As an example the field assume_role_arn would be set using the environment variable GROVE_SECRET_AWS_SSM_ASSUME_ROLE_ARN.

case_insensitive = True¶

env_prefix = 'GROVE_SECRET_AWS_SSM_'¶

assume_role_arn: str | None¶

ssm_region: str | None¶

class grove.secrets.aws_ssm.Handler[source]¶

Bases: BaseSecret

A configuration handler to read secrets from AWS SSM.

get(id: str) → str[source]¶

Gets and returns an encrypted parameter from AWS SSM.

Parameters:: id – The path of the secret to retrieve.
Returns:: The decrypted and plain-text secret.

grove.secrets.hashicorp_vault module¶

Grove HashiCorp Vault secret handler.

Bases: BaseSettings

Defines environment variables used to configure the HashiCorp Vault handler.

This should also include any appropriate default values for fields which are not required.

class Config[source]¶

Bases: object

Allow environment variable override of configuration fields.

This also enforce a prefix for all environment variables for this handler. As an example the field token would be set using the environment variable GROVE_SECRET_HASHICORP_VAULT_TOKEN.

case_insensitive = True¶

env_prefix = 'GROVE_SECRET_HASHICORP_VAULT_'¶

addr: str¶

api_version: str¶

namespace: str | None¶

token: str | None¶

token_file: str | None¶

class grove.secrets.hashicorp_vault.Handler[source]¶

Bases: BaseSecret

get(id: str) → str[source]¶

Gets and returns a secret from Vault.

To allow accessing different values under a configured secret path, this method uses a non-standard convention to encode which “field” of a returned credential is desired. This mimics the behavior of the Vault CLI “-field” option - though this is not a supported HTTP parameter by the Vault API directly.

As an example of this, the following path would provide access to the ‘password’ portion of a credential stored in a KVv2 engine mounted at ‘secret/’:

secret/data/example/demo?field=password

To instead access a ‘token’ portion of a credential stored in the same path, the following would be used:

secret/data/example/demo?field=token

Finally, to perform the same operation against a KVv1 engine mounted at ‘kv/’ the path is almost the same. However, the ‘/data/’ must ALSO be dropped, as this is only required for KVv2:

kv/example/demo?field=token

Parameters:

id – The path of the secret to retrieve - including engine.
name – The name of the secret, defined by the connector configuration. If a ‘field’ is specified in the secret path this parameter will be ignored.

Raises:

AccessException – An issue occurred when getting the secret from Vault.

Returns:

The plain-text secret from vault.

get_field_and_path(path: str) → Tuple[str, str][source]¶

Extracts and removes ‘field’ parameters from a provided secret path.

Parameters:: path – The path from the connector configuration to process.
Raises:: VaultError – An error occurred while parsing data from the path.
Returns:: A tuple containing an extracted field, if any, and a Vault API compatible path.

grove.secrets.local_file module¶

Grove local file secrets handler.

Bases: BaseSettings

Defines environment variables used to configure the local file handler.

This should also include any appropriate default values for fields which are not required.

class Config[source]¶

Bases: object

Allow environment variable override of configuration fields.

This also enforce a prefix for all environment variables for this handler. As an example the field path would be set using the environment variable GROVE_SECRET_LOCAL_FILE_PATH_PREFIX.

case_insensitive = True¶

env_prefix = 'GROVE_SECRET_LOCAL_FILE_'¶

path_prefix: str¶

class grove.secrets.local_file.Handler[source]¶

Bases: BaseSecret

A secret handler to read secrets from local files.

get(id: str) → str[source]¶

Gets and returns an secret from the specified file path.

If a path prefix is configured this will be appended to the beginning of the configured file path. However, if the path of the secret begins with a ‘/’ it the path prefix will be ignored - as it will be considered a fully-qualified path specification.

Parameters:: id – The file to read the secret from.
Returns:: The plain-text secret, read from the specified file.