This project is designed to simplify access to the secrets stored in the Secret Manager within Google Cloud Platform (GCP) during the development life cycle of Python apps.
Let's imagine you are working on a Python-based application running in Google Cloud Run as part of a team. In this case:
- Development is done locally on your machine,
- Code versioning and CI/CD pipelines are orchestrated with a Git repository such as GitHub
- The deployed application is running in Cloud Run, where the secrets are mounted as environmental variables.
The problem is that you need to have the secret available in your local environment, as well as in the environment where the application unit and integration tests are running, and finally in the Cloud Run environment.
This Python package unifies access to secrets across all the above-mentioned environments. It first looks if the secret is available as an environmental variable. If not, it tries to load it from the Secret Manager with the help of default application credentials sourced from the GOOGLE_APPLICATION_CREDENTIALS
environmental variable.
This approach allows you to have the same codebase for all the environments and maintain carefully only the default application credentials.
# import the Secret Assessor class
from surquest.GCP.secret_assessor import Secret
secret = Secret.get("MY_SECRET") # returns the secret value
# If your secret is a JSON string, you can load it as a dictionary
secret = Secret.get("MY_SECRET", parse="JSON") # returns the secret value as a dictionary
# If your secret is a YAML string, you can load it as a dictionary
secret = Secret.get("MY_SECRET", parse="YAML") # returns the secret value as a dictionary
You are more than welcome to contribute to this project. To make your start easier we have prepared a docker image with all the necessary tools to run it as interpreter for Pycharm or to run tests.
docker build `
--tag surquest/gcp/secretassessor `
--file package.base.dockerfile `
--target test .
docker run --rm -it `
-v "${pwd}:/opt/project" `
-e "GOOGLE_APPLICATION_CREDENTIALS=/opt/project/credentials/keyfile.json" `
-w "/opt/project/test" `
surquest/gcp/secretassessor pytest