VaultAPI

Lightweight API to store/retrieve secrets to/from an encrypted Database

Python

Platform Supported

Platform docker-image

Deployments

docker pypi docker_desc

markdown pages

Pypi Pypi-format Pypi-status

Kick off

Recommendations

Install VaultAPI

python -m pip install vaultapi

Initiate - IDE

import vaultapi.server


if __name__ == '__main__':
    vaultapi.server.start()

Initiate - CLI

vaultapi start

Use vaultapi --help for usage instructions.

Environment Variables

Sourcing environment variables from an env file

By default, VaultAPI will look for a .env file in the current working directory.

Mandatory

  • APIKEY - API Key for authentication.

  • SECRET - Secret access key to encode/decode the secrets in Datastore.

Optional (with defaults)

  • TRANSIT_KEY_LENGTH - AES key length for transit encryption. Defaults to 32

  • TRANSIT_TIME_BUCKET - Interval for which the transit epoch should remain constant. Defaults to 60

  • DATABASE - FilePath to store the secrets’ database. Defaults to secrets.db

  • HOST - Hostname for the API server. Defaults to 0.0.0.0 [OR] localhost

  • PORT - Port number for the API server. Defaults to 9010

  • WORKERS - Number of workers for the uvicorn server. Defaults to 1

  • RATE_LIMIT - List of dictionaries with max_requests and seconds to apply as rate limit. Defaults to 5req/2s [AND] 10req/30s

  • ALLOW_PUBLIC_IP - Boolean flag to allow connections via public IP. Defaults to false

  • ALLOW_PRIVATE_IP - Boolean flag to allow connections via private IP. Defaults to false

  • ALLOW_PRIVATE_IP_RANGE - Boolean flag to allow connections via any private IP address (1-256) within range. Defaults to false

Optional (without defaults)

  • LOG_CONFIG - FilePath or dictionary of key-value pairs for log config.

  • ALLOWED_ORIGINS - Origins that are allowed to retrieve secrets.

  • ALLOWED_IP_RANGE - IP range that is allowed to retrieve secrets. (eg: 10.112.8.10-210)

Checkout decryptors for more information about decrypting the retrieved secret from the server.

Auto generate a SECRET value

This value will be used to encrypt/decrypt the secrets stored in the database.

CLI

vaultapi keygen

IDE

from cryptography.fernet import Fernet
print(Fernet.generate_key())

API Functionality

| Endpoint | Description | API method | |——————|——————————————–|————| | /health | API health endpoint | GET | | /get-secret | Retrieve secrets (comma separated list) | GET | | /get-table | Get ALL the secrets stored in a table | GET | | /list-tables | List all available tables | GET | | /put-secret | Store or update a secret (key-value pairs) | PUT | | /delete-secret | Delete a specific secret | DELETE | | /create-table | Create a new table | POST | | /delete-table | Deletes an existing table | DELETE |

Coding Standards

Docstring format: Google
Styling conventions: PEP 8 and isort

Release Notes

Requirement

python -m pip install gitverse

Usage

gitverse-release reverse -f release_notes.rst -t 'Release Notes'

Linting

pre-commit will ensure linting, run pytest, generate runbook & release notes, and validate hyperlinks in ALL markdown files (including Wiki pages)

Requirement

python -m pip install sphinx==5.1.1 pre-commit recommonmark

Usage

pre-commit run --all-files

Pypi Package

pypi-module

https://pypi.org/project/VaultAPI/

Docker Image

made-with-docker-doc

https://hub.docker.com/r/thevickypedia/vaultapi

Runbook

made-with-sphinx-doc

https://thevickypedia.github.io/VaultAPI/