Secret Manager

bibtutils.gcp.secrets

Functionality making use of GCP’s Secret Manager.

See the official Secret Manager Python Client documentation here: link.

bibtutils.gcp.secrets.get_secret(host_project, secret_name, **kwargs)[source]

An alias for get_secret_json(). Any extra arguments (kwargs) are passed to the get_sercret_by_uri() function.

from bibtutils.gcp.secrets import get_secret
secret = get_secret('my_project', 'my_secret')
print(secret['password'])
Parameters:

  • host_project (str) – the name of the host project of the secret.

  • secret_name (str) – the name of the secret to fetch.

Return type:

dict

Returns:

the secret data.

bibtutils.gcp.secrets.get_secret_by_name(host_project, secret_name, **kwargs)[source]

Gets a secret from GCP and returns it either as decoded utf-8 or raw bytes (depending on decode parameter). Executing account must have (at least) secret version accessor permissions on the secret. Any extra arguments (kwargs) are passed to the get_sercret_by_uri() function.

from bibtutils.gcp.secrets import get_secret_by_name
secret = get_secret_by_name('my_project', 'my_secret')
print(secret)
Parameters:

  • host_project (str) – the name of the host project of the secret.

  • secret_name (str) – the name of the secret to fetch.

  • decode (bool) – (Optional) whether or not to decode the bytes. Defaults to True.

Return type:

bytes OR str

Returns:

the secret data.

bibtutils.gcp.secrets.get_secret_by_uri(secret_uri, decode=True, credentials=None, timeout=None)[source]

Gets a secret from GCP and returns it either as decoded utf-8 or raw bytes (depending on decode parameter). Executing account must have (at least) secret version accessor permissions on the secret.

from bibtutils.gcp.secrets import get_secret_by_uri
secret = get_secret_by_uri(
    'projects/my_project/secrets/my_secret/versions/latest'
)
print(secret)
Parameters:

  • secret_uri (str) – the uri of the secret to fetch. secret uri format: 'projects/{host_project}/secrets/{secret_name}/versions/latest'

  • decode (bool) – (Optional) whether or not to decode the bytes. Defaults to True.

  • credentials (google.oauth2.credentials.Credentials) – the credentials object to use when making the API call, if not to use the account running the function for authentication.

  • timeout (float) – request timeout may be specified if desired.

Return type:

bytes OR str

Returns:

the secret data.

bibtutils.gcp.secrets.get_secret_json(host_project, secret_name, **kwargs)[source]

Gets a secret from GCP and returns it parsed into a dict. Executing account must have (at least) secret version accessor permissions on the secret. Note: secret must be in JSON format. Any extra arguments (kwargs) are passed to the get_sercret_by_uri() function.

from bibtutils.gcp.secrets import get_secret_json
secret = get_secret_json('my_project', 'my_secret')
print(secret['password'])
Parameters:

  • host_project (str) – the name of the host project of the secret.

  • secret_name (str) – the name of the secret to fetch.

Return type:

dict

Returns:

the secret data.