Python 3.6+ library to manage your application secrets with Google Cloud KMS
The secret store currently supported is Google Cloud KMS. Other secret stores (like EJSON or AWS KMS) may be added (contributions are welcome).
Google KMS is a service that manage encryption keys for you. It also offer API calls to encrypt/decrypt arbitrary payloads with those keys. The Google KMS key is identified by a "resource id".
The secret store is a directory composed of:
- a special file to store the key id (
_google_kms_key_id) - files containing plaintext secrets
- files containing encrypted secrets with an
.encextension - files prefixed with
_, never encrypted
$ pip install appsecrets
...Python API
import appsecrets
secrets = appsecrets.Secrets('secrets/production')
plaintext = secrets.decrypt('secret1')Command line
Initialize the secret store:
$ appsecrets create secrets/production --google-kms projects/project-1/locations/global/keyRings/keyring1/cryptoKeys/key1Or manually:
$ mkdir -p secrets/production
$ echo 'projects/project-1/locations/global/keyRings/keyring1/cryptoKeys/key1' > secrets/production/_google_kms_key_id
$ echo 'MYSECRET' > secrets/production/secret1Check that all secrets are encrypted:
$ appsecrets check secrets/productionEncrypt all the plaintext secrets:
$ appsecrets encrypt secrets/productionDecrypt a single secret:
$ appsecrets decrypt secrets/production secret1AppSecrets uses DevBuddy.
If you don't want to use DevBuddy, take a look at the file dev.yml to know how the project
is setup/linted/tested/released.
- Install DevBuddy
- Run
bud upto setup the development environment
Run the tests:
$ bud test
Create a new release:
$ bud release 0.4.0
Publish the release:
$ bud publish