VaultAPI

Lightweight API to store/retrieve secrets to/from an encrypted Database

VaultAPI is designed to be extremely lightweight, secure, and easy to use. It provides cutting-edge security features like AES-GCM, Fernet encryption, and rate limiting all out of the box. It also includes transit encryption to ensure that the secrets are encrypted during transit to protect against man-in-the-middle attacks.

Python

Platform Supported

Platform docker-image

Deployments

docker pypi

coverage dependabot

markdown pages

Pypi Pypi-format Pypi-status

Kick off

Recommendations

Install VaultAPI

python -m pip install vaultapi

Initiate - IDE

import vaultapi

if __name__ == '__main__':
    vaultapi.start()

Initiate - CLI

vaultapi start

Use vaultapi --help for usage instructions.

Environment Variables

Sourcing environment variables from an env file

By default, VaultAPI will look for a .env file in the current working directory.

Mandatory

  • APIKEY - API Key for authentication.

  • SECRET - Secret access key to encode/decode the secrets in Datastore.

Optional (with defaults)

  • TRANSIT_KEY_LENGTH - AES key length for transit encryption. Defaults to 32

  • TRANSIT_TIME_BUCKET - Interval for which the transit epoch should remain constant. Defaults to 60

  • DATABASE - FilePath to store the secrets’ database. Defaults to secrets.db

  • HOST - Hostname for the API server. Defaults to 0.0.0.0 [OR] localhost

  • PORT - Port number for the API server. Defaults to 9010

  • WORKERS - Number of workers for the uvicorn server. Defaults to 1

  • RATE_LIMIT - List of dictionaries with max_requests and seconds to apply as rate limit. Defaults to 5req/2s [AND] 10req/30s

Optional (without defaults)

  • LOG_CONFIG - FilePath or dictionary of key-value pairs for log config.

  • ALLOWED_ORIGINS - List of origins that should be allowed through CORS.

Optional (UI integration)

  • ENABLE_UI - Boolean flag to enable the UI. Defaults to false

  • AUTH_DATABASE - FilePath to store the UI authentication database. Defaults to auth.db

  • TOTP_TOKEN - Secret token for TOTP authentication in the UI. Can be generated using any TOTP generator app like Google Authenticator or Authy.

  • UI_LIFETIME - Time in seconds for which the UI session should remain active. Defaults to 900 (15 minutes)

Auto generate a SECRET value

This value will be used to encrypt/decrypt the secrets stored in the database.

CLI

vaultapi keygen

IDE

from cryptography.fernet import Fernet
print(Fernet.generate_key())

API Functionality

| Endpoint | Description | API method | |——————|——————————————–|————| | /health | API health endpoint | GET | | /get-secret | Retrieve secrets (comma separated list) | GET | | /get-table | Get ALL the secrets stored in a table | GET | | /list-tables | List all available tables | GET | | /put-secret | Store or update a secret (key-value pairs) | PUT | | /delete-secret | Delete a specific secret | DELETE | | /create-table | Create a new table | POST | | /delete-table | Deletes an existing table | DELETE |

Clients

Clients are available in multiple languages to interact with the API server.

Python: VaultAPI-Client-python

Rust: VaultAPI-Client-rust

Checkout decryptors for on-demand scripts to decrypt the secrets retrieved from the API.

Coding Standards

Docstring format: Google
Styling conventions: PEP 8 and isort

Release Notes

Requirement

python -m pip install gitverse

Usage

gitverse-release reverse -f release_notes.rst -t 'Release Notes'

Linting

pre-commit will ensure linting, run pytest, generate runbook & release notes, and validate hyperlinks in ALL markdown files (including Wiki pages)

Requirement

python -m pip install sphinx==5.1.1 pre-commit recommonmark

Usage

pre-commit run --all-files

Pypi Package

pypi-module

https://pypi.org/project/VaultAPI/

Docker Image

made-with-docker-doc

https://hub.docker.com/r/thevickypedia/vaultapi

Runbook

made-with-sphinx-doc

https://thevickypedia.github.io/VaultAPI/