# Vault User Storage Example

Each JupyterHub user has their own private storage space in Vault at `/secret/jupyter/users/<username>/`

## Setup and Authentication

In [None]:
import os
import hvac
import json
from datetime import datetime

# Get environment variables
username = os.getenv('JUPYTERHUB_USER', 'testuser')
vault_addr = os.getenv('VAULT_ADDR', 'https://vault.example.com')
oidc_token = os.getenv('JUPYTERHUB_OIDC_ACCESS_TOKEN')

if not oidc_token:
    raise ValueError("OIDC token not found. Make sure auth_state is enabled.")

# Initialize Vault client
client = hvac.Client(url=vault_addr, verify=False)

# Authenticate with JupyterHub token
client.auth.jwt.jwt_login(
    role='jupyter-token',
    jwt=oidc_token,
    path='jwt'
)

print(f"Authenticated as: {username}")
print(f"User storage path: secret/jupyter/users/{username}/")

## Store User Preferences

In [None]:
# Store user preferences
preferences = {
    'theme': 'dark',
    'language': 'en',
    'font_size': 14,
    'auto_save': True,
    'last_updated': datetime.now().isoformat()
}

client.secrets.kv.v2.create_or_update_secret(
    path=f'jupyter/users/{username}/preferences',
    secret=preferences,
    mount_point='secret'
)

print(f"Saved preferences for {username}")
print(json.dumps(preferences, indent=2))

# Read back preferences
response = client.secrets.kv.v2.read_secret_version(
    path=f'jupyter/users/{username}/preferences',
    mount_point='secret',
    raise_on_deleted_version=False
)

stored_prefs = response['data']['data']
print("Retrieved preferences:")
print(json.dumps(stored_prefs, indent=2))

In [None]:
# Store API keys securely
api_keys = {
    'openai_key': 'sk-your-api-key-here',
    'github_token': 'ghp_your-token-here',
    'aws_access_key': 'AKIA-example',
    'aws_secret_key': 'your-secret-here'
}

client.secrets.kv.v2.create_or_update_secret(
    path=f'jupyter/users/{username}/api-keys',
    secret=api_keys,
    mount_point='secret'
)

print(f"Stored {len(api_keys)} API keys for {username}")

## Store Database Connections

In [None]:
# Store database connection info
db_connections = {
    'postgres_prod': {
        'host': 'db.example.com',
        'port': 5432,
        'database': 'production',
        'username': 'app_user',
        'password': 'secure-password-123'
    },
    'mongodb_analytics': {
        'connection_string': 'mongodb://user:pass@mongo.example.com:27017/analytics'
    }
}

client.secrets.kv.v2.create_or_update_secret(
    path=f'jupyter/users/{username}/databases',
    secret=db_connections,
    mount_point='secret'
)

print(f"Stored {len(db_connections)} database connections")

## Read Stored Secrets

In [None]:
# Read back preferences
response = client.secrets.kv.v2.read_secret_version(
    path=f'jupyter/users/{username}/preferences',
    mount_point='secret',
    raise_on_deleted_version=False
)

stored_prefs = response['data']['data']
print("Retrieved preferences:")
print(json.dumps(stored_prefs, indent=2))

class UserVaultStorage:
    """Helper class for managing user's Vault storage"""
    
    def __init__(self):
        self.username = os.getenv('JUPYTERHUB_USER')
        self.client = hvac.Client(
            url=os.getenv('VAULT_ADDR'),
            verify=False
        )
        self._authenticate()
        self.base_path = f'jupyter/users/{self.username}'
    
    def _authenticate(self):
        token = os.getenv('JUPYTERHUB_OIDC_ACCESS_TOKEN')
        self.client.auth.jwt.jwt_login(
            role='jupyter-token',
            jwt=token,
            path='jwt'
        )
    
    def save(self, key, data):
        """Save data to user's Vault storage"""
        path = f'{self.base_path}/{key}'
        self.client.secrets.kv.v2.create_or_update_secret(
            path=path,
            secret=data,
            mount_point='secret'
        )
        return path
    
    def load(self, key):
        """Load data from user's Vault storage"""
        path = f'{self.base_path}/{key}'
        response = self.client.secrets.kv.v2.read_secret_version(
            path=path,
            mount_point='secret',
            raise_on_deleted_version=False
        )
        return response['data']['data'] if response else None
    
    def delete(self, key):
        """Delete data from user's Vault storage"""
        path = f'{self.base_path}/{key}'
        self.client.secrets.kv.v2.delete_metadata_and_all_versions(
            path=path,
            mount_point='secret'
        )
    
    def list(self):
        """List all keys in user's storage"""
        try:
            response = self.client.secrets.kv.v2.list_secrets(
                path=self.base_path,
                mount_point='secret'
            )
            return response['data']['keys']
        except:
            return []

# Usage example
storage = UserVaultStorage()

# Save model parameters
storage.save('ml-model-config', {
    'model_type': 'random_forest',
    'n_estimators': 100,
    'max_depth': 10,
    'training_date': datetime.now().isoformat()
})

# Load them back
config = storage.load('ml-model-config')
print("Loaded config:", config)

# List all stored items
print(f"\nAll stored items: {storage.list()}")

In [None]:
# List all secrets in user's directory
try:
    secrets_list = client.secrets.kv.v2.list_secrets(
        path=f'jupyter/users/{username}',
        mount_point='secret'
    )
    
    print(f"Secrets stored for {username}:")
    for secret in secrets_list['data']['keys']:
        print(f"  - {secret}")
except Exception as e:
    print(f"No secrets found or error: {e}")

## Helper Class for User Storage

In [None]:
class UserVaultStorage:
    """Helper class for managing user's Vault storage"""
    
    def __init__(self):
        self.username = os.getenv('JUPYTERHUB_USER')
        self.client = hvac.Client(
            url=os.getenv('VAULT_ADDR'),
            verify=False
        )
        self._authenticate()
        self.base_path = f'jupyter/users/{self.username}'
    
    def _authenticate(self):
        token = os.getenv('JUPYTERHUB_OIDC_ACCESS_TOKEN')
        self.client.auth.jwt.jwt_login(
            role='jupyter-token',
            jwt=token,
            path='jwt'
        )
    
    def save(self, key, data):
        """Save data to user's Vault storage"""
        path = f'{self.base_path}/{key}'
        self.client.secrets.kv.v2.create_or_update_secret(
            path=path,
            secret=data,
            mount_point='secret'
        )
        return path
    
    def load(self, key):
        """Load data from user's Vault storage"""
        path = f'{self.base_path}/{key}'
        response = self.client.secrets.kv.v2.read_secret_version(
            path=path,
            mount_point='secret',
            raise_on_deleted_version=False
        )
        return response['data']['data'] if response else None
    
    def delete(self, key):
        """Delete data from user's Vault storage"""
        path = f'{self.base_path}/{key}'
        self.client.secrets.kv.v2.delete_metadata_and_all_versions(
            path=path,
            mount_point='secret'
        )
    
    def list(self):
        """List all keys in user's storage"""
        try:
            response = self.client.secrets.kv.v2.list_secrets(
                path=self.base_path,
                mount_point='secret'
            )
            return response['data']['keys']
        except:
            return []

# Usage example
storage = UserVaultStorage()

# Save model parameters
storage.save('ml-model-config', {
    'model_type': 'random_forest',
    'n_estimators': 100,
    'max_depth': 10,
    'training_date': datetime.now().isoformat()
})

# Load them back
config = storage.load('ml-model-config')
print("Loaded config:", config)

# List all stored items
print(f"\nAll stored items: {storage.list()}")

## Environment Variables Helper

In [None]:
def load_env_from_vault(key='environment'):
    """Load environment variables from Vault"""
    storage = UserVaultStorage()
    
    try:
        env_vars = storage.load(key)
        for name, value in env_vars.items():
            os.environ[name] = str(value)
            print(f"Loaded: {name}")
        return list(env_vars.keys())
    except Exception as e:
        print(f"No environment variables found: {e}")
        return []

def save_env_to_vault(env_dict, key='environment'):
    """Save environment variables to Vault"""
    storage = UserVaultStorage()
    path = storage.save(key, env_dict)
    print(f"Saved {len(env_dict)} environment variables to {path}")

# Example: Save current project environment
project_env = {
    'PROJECT_NAME': 'data-analysis',
    'DATA_PATH': '/data/project',
    'MODEL_VERSION': 'v2.1',
    'DEBUG': 'false'
}

save_env_to_vault(project_env)
loaded = load_env_from_vault()
print(f"\nEnvironment ready with {len(loaded)} variables")