The Delinea DevOps Secrets Vault
(DSV) Python SDK contains classes that interact with the DSV REST API.
python -m pip install python-dsv-sdk
There are two ways in which you can authorize the SecretsVault
class to fetch secrets.
- Password Authorization (with
PasswordGrantAuthorizer
) - Access Token Authorization (with
AccessTokenAuthorizer
)
If using a traditional client_id
and a client_secret
to authenticate in to your DevOps Secrets Vault, you can pass the PasswordGrantAuthorizer
into the SecretsVault
class at instantiation. The PasswordGrantAuthorizer
requires a base_url
, username
, and password
. It optionally takes a token_path_uri
, but defaults to /v1/token
.
from delinea.secrets.vault import PasswordGrantAuthorizer
authorizer = PasswordGrantAuthorizer("https://mytenant.secretsvaultcloud.com/", "my_client_id", "my_client_secret")
If you already have a valid access_token
, you can pass directly via the AccessTokenAuthorizer
.
from delinea.secrets.vault import AccessTokenAuthorizer
authorizer = AccessTokenAuthorizer("YgJ1slfZs8ng9bKsRsB-tic0Kh8I...")
Instantiate SecretsVault
by passing your base_url
and Authorizer
as arguments:
from delinea.secrets.vault import SecretsVault
vault = SecretsVault("https://mytenant.secretsvaultcloud.com/", authorizer)
Secrets can be fetched using the get_secret
method, which takes the secret_path
of the secret and returns a json
object. Alternatively, you can use pass the json to VaultSecret
which returns a dataclass
object representation of the secret:
from delinea.secrets.vault import VaultSecret
secret = VaultSecret(**vault.get_secret("/test/secret"))
print(f"username: {secret.data['username']}\npassword: {secret.data['password']}")
When using a self-signed certificate for SSL, the REQUESTS_CA_BUNDLE
environment variable should be set to the path of the certificate (in .pem
format). This will negate the need to ignore SSL certificate verification, which makes your application vunerable. Please reference the requests
documentation for further details on the REQUESTS_CA_BUNDLE
environment variable, should you require it.
The SDK requires Python 3.7 or higher.
Assuming that you have a supported version of Python installed, you can clone this repository and set up your environment with:
# Clone the repo
git clone https://github.com/DelineaXPM/python-dsv-sdk
cd python-dsv-sdk
# Create a virtual environment
python -m venv venv
. venv/bin/activate
# Install dependencies
python -m pip install --upgrade pip
pip install -r requirements.txt
Valid credentials are required to run the unit tests. The credentials should be stored in environment variables or in a .env
file:
export DSV_CLIENT_ID=""
export DSV_CLIENT_SECRET=""
export DSV_BASE_URL="https://my.secretsvaultcloud.com/"
The tests assume that the client associated with the specified CLIENT_ID
can read the secret with the path /test/sdk/simple
.
Note: The secret path can be changed manually in
test_server.py
to a secret path that the client can access.
To run the tests with tox
:
tox
To build the package, use Flit:
flit build