# Nautobot Secrets Providers
Nautobot Secrets Providers is a plugin for [Nautobot](https://github.com/nautobot/nautobot) 1.2.0 or higher that bundles Secrets Providers for integrating with popular secrets backends. Nautobot 1.2.0 added support for integrating with retrieving secrets from various secrets providers.
This plugin publishes secrets providers that are not included in the within the Nautobot core software package so that it will be easier to maintain and extend support for various secrets providers without waiting on Nautobot software releases.
With Nautobot version 1.4.0 and above a new **Check** Tab is introduced on Nautobot Secret detail page.
It allows to check if the secret could be accessed with data defined.
The screenshots shows how the message looks like for a secret that is accessible and inaccessible.
![Screenshot of Secret-Check-tab with accessible secret-provider](https://raw.githubusercontent.com/nautobot/nautobot-plugin-secrets-providers/develop/docs/images/secret_check_success_message.png "Secret-Check-tab with accessible secret-provider")
![Screenshot of Secret-Check-tab with inaccessible secret-provider](https://raw.githubusercontent.com/nautobot/nautobot-plugin-secrets-providers/develop/docs/images/secret_check_failed_message.png "Secret-Check-tab with accessible secret-provider")
## Supported Secrets Backends
This plugin supports the following popular secrets backends:
| Secrets Backend | Supported Secret Types | Supported Authentication Methods |
| ------------------------------------------------------------ | ------------------------------------------------------------ | ------------------------------------------------------------ |
| [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/) | [Other: Key/value pairs](https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_create-basic-secret.html) | [AWS credentials](https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html) (see Usage section below) |
| [HashiCorp Vault](https://www.vaultproject.io) | [K/V Version 2](https://www.vaultproject.io/docs/secrets/kv/kv-v2) | [Token](https://www.vaultproject.io/docs/auth/token)<br/>[AppRole](https://www.vaultproject.io/docs/auth/approle)<br/>[AWS](https://www.vaultproject.io/docs/auth/aws)<br/>[Kubernetes](https://www.vaultproject.io/docs/auth/kubernetes) |
| [Delinea/Thycotic Secret Server](https://delinea.com/products/secret-server) | [Secret Server Cloud](https://github.com/DelineaXPM/python-tss-sdk#secret-server-cloud)<br/>[Secret Server (on-prem)](https://github.com/DelineaXPM/python-tss-sdk#initializing-secretserver)| [Access Token Authorization](https://github.com/DelineaXPM/python-tss-sdk#access-token-authorization)<br/>[Domain Authorization](https://github.com/DelineaXPM/python-tss-sdk#domain-authorization)<br/>[Password Authorization](https://github.com/DelineaXPM/python-tss-sdk#password-authorization)<br/> |
## Screenshots
![Screenshot of installed plugins](https://raw.githubusercontent.com/nautobot/nautobot-plugin-secrets-providers/develop/docs/images/screenshot01.png "Plugin landing page")
---
![Screenshot of plugin home page](https://raw.githubusercontent.com/nautobot/nautobot-plugin-secrets-providers/develop/docs/images/screenshot02.png "Plugin Home page")
---
![Screenshot of secret using AWS Secrets Manager](https://raw.githubusercontent.com/nautobot/nautobot-plugin-secrets-providers/develop/docs/images/screenshot03.png "Secret using AWS Secrets Manager")
---
![Screenshot of secret using HashiCorp Vault](https://raw.githubusercontent.com/nautobot/nautobot-plugin-secrets-providers/develop/docs/images/screenshot04.png "Secret using HashiCorp Vault")
---
![Screenshot of secret using Delinea/Thycotic Secret Server by ID](https://raw.githubusercontent.com/nautobot/nautobot-plugin-secrets-providers/develop/docs/images/screenshot05.png "Secret using Thycotic Secret Server by ID")
---
![Screenshot of secret using Delinea/Thycotic Secret Server by Path](https://raw.githubusercontent.com/nautobot/nautobot-plugin-secrets-providers/develop/docs/images/screenshot06.png "Secret using Thycotic Secret Server by Path")
## Installation
> Nautobot Secrets Providers is compatible with Nautobot 1.2.0 and higher. Support for Thycotic Secret Server requires Python 3.7 or later.
The package is available as a Python package in PyPI and can be installed with `pip`:
```no-highlight
pip install nautobot-secrets-providers
```
You may quickly install all of the dependent libraries using the following command, however, this is *not recommended for production deployments* as it will install extras that you may not need:
```no-highlight
pip install nautobot-secrets-providers[all]
```
### Dependencies
For this plugin to operate you must install at least one of the dependent libraries required by the secrets providers.
**You must install the dependencies for at least one of the supported secrets providers or a `RuntimeError` will be raised.**
#### AWS Secrets Manager, AWS System Manager Parameter Store
The AWS Secrets Manager and Parameter Store providers require the `boto3` library. This can be easily installed along with the plugin using the following command:
```no-highlight
pip install nautobot-secrets-providers[aws]
```
#### HashiCorp Vault
The HashiCorp Vault provider requires the `hvac` library. This can easily be installed along with the plugin using the following command:
```no-highlight
pip install nautobot-secrets-providers[hashicorp]
```
#### Delinea/Thycotic Secret Server
The Delinea/Thycotic Secret Server provider requires the `python-tss-sdk` library. This can easily be installed along with the plugin using the following command:
```no-highlight
pip install nautobot-secrets-providers[thycotic]
```
### Enabling Secrets Providers
To ensure Nautobot Secrets Providers is automatically re-installed during future upgrades, create a file named `local_requirements.txt` (if not already existing) in the Nautobot root directory (alongside `requirements.txt`) and list the `secrets` package:
```no-highlight
echo nautobot-secrets-providers >> local_requirements.txt
```
Once installed, the plugin needs to be enabled in your `nautobot_config.py`:
```python
# In your nautobot_config.py
PLUGINS = ["nautobot_secrets_providers"]
# PLUGINS_CONFIG = {
# "nautobot_secrets_providers": {
# See below for how to configure Nautobot for each secrets provider!
# }
# }
```
## Usage
Before you proceed, you must have **at least one** of the dependent libaries installed as detailed above.
Please do not enable this plugin until you are able to install the dependencies, as it will block Nautobot from starting.
### AWS Secrets Manager, AWS System Manager Parameter Store
#### Authentication
No configuration is needed within Nautobot for this provider to operate. Instead you must provide [AWS credentials in one of the methods supported by the `boto3` library](https://boto3.amazonaws.com/v1/documentation/api/latest/guide/credentials.html#configuring-credentials).
Boto3 credentials can be configured in multiple ways (eight as of this writing) that are mirrored here:
1. Passing credentials as parameters in the `boto.client()` method
2. Passing credentials as parameters when creating a Session object
3. Environment variables
4. Shared credential file (`~/.aws/credentials`)
5. AWS config file (`~/.aws/config`)
6. Assume Role provider
7. Boto2 config file (`/etc/boto.cfg` and `~/.boto`)
8. Instance metadata service on an Amazon EC2 instance that has an IAM role configured.
**The AWS Secrets Manager provider only supports methods 3-8. Methods 1 and 2 ARE NOT SUPPORTED at this time.**
We highly recommend you defer to using environment variables for your deployment as specified in the credentials documentation linked above. The values specified in the linked documentation should be [set within your `~.bashrc`](https://nautobot.readthedocs.io/en/latest/installation/nautobot/#update-the-nautobot-bashrc) (or similar profile) on your system.
#### Configuration
This is an example based on our recommended deployment pattern in the section above (item 3) that is using [environment variables](https://boto3.amazonaws.com/v1/documentation/api/latest/guide/credentials.html#environment-variables). You will need to set these in the environment prior to starting Nautobot:
```no-highlight
export AWS_ACCESS_KEY_ID=foo # The access key for your AWS account.
export AWS_SECRET_ACCESS_KEY=bar # The secret key for your AWS account.
```
Please refer to the [Nautobot documentation on updating your `.bashrc`](https://nautobot.readthedocs.io/en/latest/installation/nautobot/#update-the-nautobot-bashrc) for how to do this for production Nautobot deployments.
### HashiCorp Vault
#### Configuration
You must provide a mapping in `PLUGINS_CONFIG` within your `nautobot_config.py`, for example:
```python
PLUGINS_CONFIG = {
"nautobot_secrets_providers": {
"hashicorp_vault": {
"url": "http://localhost:8200",
"auth_method": "token",
"token": os.getenv("NAUTOBOT_HASHICORP_VAULT_TOKEN"),
}
},
}
```
- `url` - (required) The URL to the HashiCorp Vault instance (e.g. `http://localhost:8200`).
- `auth_method` - (optional / defaults to "token") The method used to authenticate against the HashiCorp Vault instance. Either `"approle"`, `"aws"`, `"kubernetes"` or `"token"`. For information on using AWS authentication with vault see the [authentication](#authentication) section above.
- `ca_cert` - (optional) Path to a PEM formatted CA certificate to use when verifying the Vault connection. Can alternatively be set to `False` to ignore SSL verification (not recommended) or `True` to use the system certificates.
- `default_mount_point` - (optional / defaults to "secret") The default mount point of the K/V Version 2 secrets engine within Hashicorp Vault.
- `k8s_token_path` - (optional) Path to the kubernetes service account token file. Defaults to "/var/run/secrets/kubernetes.io/serviceaccount/token".
- `token` - (optional) Required when `"auth_method": "token"` or `auth_method` is not supplied. The token for authenticating the client with the HashiCorp Vault instance. As with other sensitive service credentials, we recommend that you provide the token value as an environment variable and retrieve it with `{"token": os.getenv("NAUTOBOT_HASHICORP_VAULT_TOKEN")}` rather than hard-coding it in your `nautobot_config.py`.
- `role_name` - (optional) Required when `"auth_method": "kubernetes"`, optional when `"auth_method": "aws"`. The Vault Kubernetes role or Vault AWS role to assume which the pod's service account has access to.
- `role_id` - (optional) Required when `"auth_method": "approle"`. As with other sensitive service credentials, we recommend that you provide the role_id value as an environment variable and retrieve it with `{"role_id": os.getenv("NAUTOBOT_HASHICORP_VAULT_ROLE_ID")}` rather than hard-coding it in your `nautobot_config.py`.
- `secret_id` - (optional) Required when `"auth_method": "approle"`.As with other sensitive service credentials, we recommend that you provide the secret_id value as an environment variable and retrieve it with `{"secret_id": os.getenv("NAUTOBOT_HASHICORP_VAULT_SECRET_ID")}` rather than hard-coding it in your `nautobot_config.py`.
- `login_kwargs` - (optional) Additional optional parameters to pass to the login method for [`approle`](https://hvac.readthedocs.io/en/stable/source/hvac_api_auth_methods.html#hvac.api.auth_methods.AppRole.login), [`aws`](https://hvac.readthedocs.io/en/stable/source/hvac_api_auth_methods.html#hvac.api.auth_methods.Aws.iam_login) and [`kubernetes`](https://hvac.readthedocs.io/en/stable/source/hvac_api_auth_methods.html#hvac.api.auth_methods.Kubernetes.login) authentication methods.
### Delinea/Thycotic Secret Server (TSS)
The Delinea/Thycotic Secret Server plugin includes two providers:
- **`Thycotic Secret Server by ID`**
This provider uses the `Secret ID` to specifiy the secret that is selected. The `Secret ID` is displayed in the browser's URL field if you `Edit` the data in Thycotic Secret Server.
- Example:
The url is: _https://pw.example.local/SecretServer/app/#/secret/**1234**/general_
In this example the value for `Secret ID` is **1234**.
- **`Thycotic Secret Server by Path`**
This provider allows to select the secret by folder-path and secret-name. The path delimiter is a '\\'.
The `Secret path` is displayed as page header when `Edit` a secret.
- Example:
The header is: **NET-Automation > Nautobot > My-Secret**
In this example the value for `Secret path` is **`\NET-Automation\Nautobot\My-Secret`**.
#### Configuration
```python
PLUGINS_CONFIG = {
"nautobot_secrets_providers": {
"thycotic": { # https://github.com/thycotic/python-tss-sdk
"base_url": os.getenv("SECRET_SERVER_BASE_URL", None),
"ca_bundle_path": os.getenv("REQUESTS_CA_BUNDLE", None),
"cloud_based": is_truthy(os.getenv("SECRET_SERVER_IS_CLOUD_BASED", "False")),
"domain": os.getenv("SECRET_SERVER_DOMAIN", None),
"password": os.getenv("SECRET_SERVER_PASSWORD", None),
"tenant": os.getenv("SECRET_SERVER_TENANT", None),
"token": os.getenv("SECRET_SERVER_TOKEN", None),
"username": os.getenv("SECRET_SERVER_USERNAME", None),
},
}
}
```
- `base_url` - (required) The Secret Server base_url. _e.g.'https://pw.example.local/SecretServer'_
- `ca_bundle_path` - (optional) When using self-signed certificates this variable must be set to a file containing the trusted certificates (in .pem format). _e.g. '/etc/ssl/certs/ca-bundle.trust.crt'_.
- `cloud_based` - (optional) Set to "True" if Secret Server Cloud should be used. (Default: "False").
- `domain` - (optional) Required for 'Domain Authorization'
- `password` - (optional) Required for 'Secret Server Cloud', 'Password Authorization', 'Domain Authorization'.
- `tenant` - (optional) Required for 'Domain Authorization'.
- `token` - (optional) Required for 'Access Token Authorization'.
- `username` - (optional) Required for 'Secret Server Cloud', 'Password Authorization', 'Domain Authorization'.
## Contributing
Pull requests are welcomed and automatically built and tested against multiple version of Python and multiple version of Nautobot through GitHub Actions.
The project is packaged with a light development environment based on `docker-compose` to help with the local development of the project and to run the tests within GitHub Actions.
The project is following Network to Code software development guidelines and is leveraging:
- Black, Pylint, Bandit and pydocstyle for Python linting and formatting.
- Django unit test to ensure the plugin is working properly.
### Development Environment
The development environment can be used in 2 ways. First, with a local poetry environment if you wish to develop outside of Docker with the caveat of using external services provided by Docker for PostgreSQL and Redis. Second, all services are spun up using Docker and a local mount so you can develop locally, but Nautobot is spun up within the Docker container.
Below is a quick start guide if you're already familiar with the development environment provided, but if you're not familiar, please read the [Getting Started Guide](GETTING_STARTED.md).
#### Invoke
The [PyInvoke](http://www.pyinvoke.org/) library is used to provide some helper commands based on the environment. There are a few configuration parameters which can be passed to PyInvoke to override the default configuration:
* `nautobot_ver`: the version of Nautobot to use as a base for any built docker containers (default: 1.2.0)
* `project_name`: the default docker compose project name (default: nautobot_secrets_providers)
* `python_ver`: the version of Python to use as a base for any built docker containers (default: 3.7)
* `local`: a boolean flag indicating if invoke tasks should be run on the host or inside the docker containers (default: False, commands will be run in docker containers)
* `compose_dir`: the full path to a directory containing the project compose files
* `compose_files`: a list of compose files applied in order (see [Multiple Compose files](https://docs.docker.com/compose/extends/#multiple-compose-files) for more information)
Using **PyInvoke** these configuration options can be overridden using [several methods](http://docs.pyinvoke.org/en/stable/concepts/configuration.html). Perhaps the simplest is simply setting an environment variable `INVOKE_NAUTOBOT_SECRETS_PROVIDERS_VARIABLE_NAME` where `VARIABLE_NAME` is the variable you are trying to override. The only exception is `compose_files`, because it is a list it must be overridden in a yaml file. There is an example `invoke.yml` (`invoke.example.yml`) in this directory which can be used as a starting point.
#### Local Poetry Development Environment
1. Copy `development/creds.example.env` to `development/creds.env` (This file will be ignored by Git and Docker)
2. Uncomment the `POSTGRES_HOST`, `REDIS_HOST`, and `NAUTOBOT_ROOT` variables in `development/creds.env`
3. Create an `invoke.yml` file with the following contents at the root of the repo (you can also `cp invoke.example.yml invoke.yml` and edit as necessary):
```yaml
---
nautobot_secrets_providers:
local: true
compose_files:
- "docker-compose.requirements.yml"
```
3. Run the following commands:
```shell
poetry shell
poetry install --extras nautobot
export $(cat development/dev.env | xargs)
export $(cat development/creds.env | xargs)
invoke start && sleep 5
nautobot-server migrate
```
> If you want to develop on the latest develop branch of Nautobot, run the following command: `poetry add --optional git+https://github.com/nautobot/nautobot@develop`. After the `@` symbol must match either a branch or a tag.
4. You can now run nautobot-server commands as you would from the [Nautobot documentation](https://nautobot.readthedocs.io/en/latest/) for example to start the development server:
```shell
nautobot-server runserver 0.0.0.0:8080 --insecure
```
Nautobot server can now be accessed at [http://localhost:8080](http://localhost:8080).
It is typically recommended to launch the Nautobot **runserver** command in a separate shell so you can keep developing and manage the webserver separately.
#### Docker Development Environment
This project is managed by [Python Poetry](https://python-poetry.org/) and has a few requirements to setup your development environment:
1. Install Poetry, see the [Poetry Documentation](https://python-poetry.org/docs/#installation) for your operating system.
2. Install Docker, see the [Docker documentation](https://docs.docker.com/get-docker/) for your operating system.
Once you have Poetry and Docker installed you can run the following commands to install all other development dependencies in an isolated python virtual environment:
```shell
poetry shell
poetry install
invoke start
```
Nautobot server can now be accessed at [http://localhost:8080](http://localhost:8080).
To either stop or destroy the development environment use the following options.
- **invoke stop** - Stop the containers, but keep all underlying systems intact
- **invoke destroy** - Stop and remove all containers, volumes, etc. (This results in data loss due to the volume being deleted)
### CLI Helper Commands
The project is coming with a CLI helper based on [invoke](http://www.pyinvoke.org/) to help setup the development environment. The commands are listed below in 3 categories `dev environment`, `utility` and `testing`.
Each command can be executed with `invoke <command>`. Environment variables `INVOKE_NAUTOBOT_SECRETS_PROVIDERS_PYTHON_VER` and `INVOKE_NAUTOBOT_SECRETS_PROVIDERS_NAUTOBOT_VER` may be specified to override the default versions. Each command also has its own help `invoke <command> --help`
#### Docker dev environment
```no-highlight
build Build all docker images.
debug Start Nautobot and its dependencies in debug mode.
destroy Destroy all containers and volumes.
restart Restart Nautobot and its dependencies.
start Start Nautobot and its dependencies in detached mode.
stop Stop Nautobot and its dependencies.
```
#### Utility
```no-highlight
cli Launch a bash shell inside the running Nautobot container.
create-user Create a new user in django (default: admin), will prompt for password.
makemigrations Run Make Migration in Django.
nbshell Launch a nbshell session.
```
#### Testing
```no-highlight
bandit Run bandit to validate basic static code security analysis.
black Run black to check that Python files adhere to its style standards.
flake8 This will run flake8 for the specified name and Python version.
pydocstyle Run pydocstyle to validate docstring formatting adheres to NTC defined standards.
pylint Run pylint code analysis.
tests Run all tests for this plugin.
unittest Run Django unit tests for the plugin.
```
### Project Documentation
Project documentation is generated by [mkdocs](https://www.mkdocs.org/) from the documentation located in the docs folder. You can configure [readthedocs.io](https://readthedocs.io/) to point at this folder in your repo. For development purposes a `docker-compose.docs.yml` is also included. A container hosting the docs will be started using the invoke commands on [http://localhost:8001](http://localhost:8001), as changes are saved the docs will be automatically reloaded.
### Developing Against Secrets Backends
#### AWS Secrets Manager
This assumes you are logged into the AWS Console.
- Navigate to AWS Console
- Navigate to AWS Secrets Manager
- Click "Store a new secret"
- Select “Other type of secrets”
- Use Secret key/value
- Enter `hello=world`
- Use "DefaultEncryptionKey" for now
- Click "Next"
- Under "Secret name" fill out `hello`
- Click "Next"
- Under "Configure automatic rotation"
- Leave it as "Disable automatic rotation"
- On "Store a new secret"
- Copy the sample code (see below)
- Click "Store"
- END
##### Install the AWS CLI
Next, install the [AWS CLI](https://aws.amazon.com/cli/).
On MacOS, this can be done using `brew install awscli`:
```
brew install awscli
```
On Linux, you will need to run a `curl` command (This assumes x86. Please see the docs for [AWS CLI on
Linux](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2-linux.html) for ARM and other options):
```
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install
```
##### Configure the AWS CLI
After installing the AWS CLI, you will need to configure it for authentication.
You may use an existing AWS access key or create a new one. For these instructions we cover the need to create a new access key that can be used for this.
- Navigate to AWS Console
- Click your username
- Click "My security credentials"
- Click "create access key"
- Save your "Access key ID" and "Secret access key" for use when configuring the AWS CLI
Now configure the CLI:
- Run `aws configure`
- Enter your credentials from above
- Choose your region
- Use output format: `json`
Example:
```no-highlight
$ aws configure
AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE
AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Default region name [None]: us-east-2
Default output format [None]: json
```
Now you are ready to use the sample code to retrieve your secret from AWS Secrets Manager!
##### Sample Code
Make sure that the `boto3` client is installed:
```no-highlight
poetry install --extras aws
```
Next, save this as `aws_secrets.py`:
```python
# Use this code snippet in your app.
# If you need more information about configurations or implementing the sample code, visit the AWS docs:
# https://aws.amazon.com/developers/getting-started/python/
import boto3
import base64
from botocore.exceptions import ClientError
def get_secret():
secret_name = "hello"
region_name = "us-east-2"
# Create a Secrets Manager client
session = boto3.session.Session()
client = session.client(
service_name='secretsmanager',
region_name=region_name
)
# In this sample we only handle the specific exceptions for the 'GetSecretValue' API.
# See https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html
# We rethrow the exception by default.
try:
get_secret_value_response = client.get_secret_value(
SecretId=secret_name
)
except ClientError as e:
if e.response['Error']['Code'] == 'DecryptionFailureException':
# Secrets Manager can't decrypt the protected secret text using the provided KMS key.
# Deal with the exception here, and/or rethrow at your discretion.
raise e
elif e.response['Error']['Code'] == 'InternalServiceErrorException':
# An error occurred on the server side.
# Deal with the exception here, and/or rethrow at your discretion.
raise e
elif e.response['Error']['Code'] == 'InvalidParameterException':
# You provided an invalid value for a parameter.
# Deal with the exception here, and/or rethrow at your discretion.
raise e
elif e.response['Error']['Code'] == 'InvalidRequestException':
# You provided a parameter value that is not valid for the current state of the resource.
# Deal with the exception here, and/or rethrow at your discretion.
raise e
elif e.response['Error']['Code'] == 'ResourceNotFoundException':
# We can't find the resource that you asked for.
# Deal with the exception here, and/or rethrow at your discretion.
raise e
else:
# Decrypts secret using the associated KMS CMK.
# Depending on whether the secret is a string or binary, one of these fields will be populated.
if 'SecretString' in get_secret_value_response:
secret = get_secret_value_response['SecretString']
else:
decoded_binary_secret = base64.b64decode(get_secret_value_response['SecretBinary'])
# Your code goes here.
# ^ Above was generated by AWS.
# This was added by us so you can run this as a script:
if __name__ == "__main__":
secret = get_secret()
print(f"Secret = {secret}")
```
Run it with `python aws_secrets.py`:
```
$ python aws_secrets.py
Secret = {"hello":"world"}.
```
Note that this blob is JSON and will also need to be decoded if you want to extract the value.
#### HashiCorp Vault
Make sure that the `hvac` client is installed:
```no-highlight
poetry install --extras hashicorp
```
##### Start Services with Docker
```no-highlight
invoke start
```
##### Set an alias to work with `vault`
This will allow you to easily run the CLI command from within the container:
```no-highlight
alias vault="docker exec -it nautobot_secrets_providers_vault_1 vault"
```
Interact with the Vault vi CLI (via `docker exec` into the container from localhost):
```no-highlight
$ vault status
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed false
Total Shares 1
Threshold 1
Version 1.8.2
Storage Type inmem
Cluster Name vault-cluster-35c5d319
Cluster ID 2611f99c-a6de-a883-1fcc-bfffdc0217bc
HA Enabled false
```
##### Using the Python `hvac` Library
This establishes a client, creates a basic key/value secret (`hello=world`) at the path `hello`, and then retrieves the data from the `hello` key at the secret path `hello`.
> This is equivalent to the command `vault kv get -field hello secret/hello`.
```python
In [1]: import hvac
In [2]: client = hvac.Client(url="http://localhost:8200", token="nautobot")
In [3]: client.secrets.kv.create_or_update_secret(path="hello", secret=dict(hello="world"))
Out[3]:
{'request_id': 'c4709868-c08f-4cb1-ab8c-605c58b82f3f',
'lease_id': '',
'renewable': False,
'lease_duration': 0,
'data': {'created_time': '2021-09-16T23:21:07.5564132Z',
'deletion_time': '',
'destroyed': False,
'version': 2},
'wrap_info': None,
'warnings': None,
'auth': None}
In [4]: client.secrets.kv.read_secret(path="hello")["data"]["data"]["hello"]
Out[4]: 'world'
```
## Questions
For any questions or comments, please check the [FAQ](FAQ.md) first and feel free to swing by the [Network to Code Slack workspace](https://networktocode.slack.com/) (channel `#networktocode`).
Raw data
{
"_id": null,
"home_page": "https://github.com/nautobot/nautobot-plugin-secrets-providers",
"name": "check-nautobot-secrets-providers",
"maintainer": "",
"docs_url": null,
"requires_python": ">=3.7,<4.0",
"maintainer_email": "",
"keywords": "nautobot,nautobot-plugin",
"author": "Network to Code, LLC",
"author_email": "opensource@networktocode.com",
"download_url": "https://files.pythonhosted.org/packages/bc/ee/b6a5fa0e7c5a26408053306db0ca13b783bb1e1ab5ada1faeb0e3e799b8c/check_nautobot_secrets_providers-1.4.1.tar.gz",
"platform": null,
"description": "# Nautobot Secrets Providers\n\nNautobot Secrets Providers is a plugin for [Nautobot](https://github.com/nautobot/nautobot) 1.2.0 or higher that bundles Secrets Providers for integrating with popular secrets backends. Nautobot 1.2.0 added support for integrating with retrieving secrets from various secrets providers.\n\nThis plugin publishes secrets providers that are not included in the within the Nautobot core software package so that it will be easier to maintain and extend support for various secrets providers without waiting on Nautobot software releases.\n\nWith Nautobot version 1.4.0 and above a new **Check** Tab is introduced on Nautobot Secret detail page.\nIt allows to check if the secret could be accessed with data defined.\n\nThe screenshots shows how the message looks like for a secret that is accessible and inaccessible.\n\n![Screenshot of Secret-Check-tab with accessible secret-provider](https://raw.githubusercontent.com/nautobot/nautobot-plugin-secrets-providers/develop/docs/images/secret_check_success_message.png \"Secret-Check-tab with accessible secret-provider\")\n\n![Screenshot of Secret-Check-tab with inaccessible secret-provider](https://raw.githubusercontent.com/nautobot/nautobot-plugin-secrets-providers/develop/docs/images/secret_check_failed_message.png \"Secret-Check-tab with accessible secret-provider\")\n\n\n## Supported Secrets Backends\n\nThis plugin supports the following popular secrets backends:\n\n| Secrets Backend | Supported Secret Types | Supported Authentication Methods |\n| ------------------------------------------------------------ | ------------------------------------------------------------ | ------------------------------------------------------------ |\n| [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/) | [Other: Key/value pairs](https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_create-basic-secret.html) | [AWS credentials](https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html) (see Usage section below) |\n| [HashiCorp Vault](https://www.vaultproject.io) | [K/V Version 2](https://www.vaultproject.io/docs/secrets/kv/kv-v2) | [Token](https://www.vaultproject.io/docs/auth/token)<br/>[AppRole](https://www.vaultproject.io/docs/auth/approle)<br/>[AWS](https://www.vaultproject.io/docs/auth/aws)<br/>[Kubernetes](https://www.vaultproject.io/docs/auth/kubernetes) |\n| [Delinea/Thycotic Secret Server](https://delinea.com/products/secret-server) | [Secret Server Cloud](https://github.com/DelineaXPM/python-tss-sdk#secret-server-cloud)<br/>[Secret Server (on-prem)](https://github.com/DelineaXPM/python-tss-sdk#initializing-secretserver)| [Access Token Authorization](https://github.com/DelineaXPM/python-tss-sdk#access-token-authorization)<br/>[Domain Authorization](https://github.com/DelineaXPM/python-tss-sdk#domain-authorization)<br/>[Password Authorization](https://github.com/DelineaXPM/python-tss-sdk#password-authorization)<br/> |\n\n## Screenshots\n\n![Screenshot of installed plugins](https://raw.githubusercontent.com/nautobot/nautobot-plugin-secrets-providers/develop/docs/images/screenshot01.png \"Plugin landing page\")\n\n---\n\n![Screenshot of plugin home page](https://raw.githubusercontent.com/nautobot/nautobot-plugin-secrets-providers/develop/docs/images/screenshot02.png \"Plugin Home page\")\n\n---\n\n![Screenshot of secret using AWS Secrets Manager](https://raw.githubusercontent.com/nautobot/nautobot-plugin-secrets-providers/develop/docs/images/screenshot03.png \"Secret using AWS Secrets Manager\")\n\n---\n\n![Screenshot of secret using HashiCorp Vault](https://raw.githubusercontent.com/nautobot/nautobot-plugin-secrets-providers/develop/docs/images/screenshot04.png \"Secret using HashiCorp Vault\")\n\n---\n\n![Screenshot of secret using Delinea/Thycotic Secret Server by ID](https://raw.githubusercontent.com/nautobot/nautobot-plugin-secrets-providers/develop/docs/images/screenshot05.png \"Secret using Thycotic Secret Server by ID\")\n\n---\n\n![Screenshot of secret using Delinea/Thycotic Secret Server by Path](https://raw.githubusercontent.com/nautobot/nautobot-plugin-secrets-providers/develop/docs/images/screenshot06.png \"Secret using Thycotic Secret Server by Path\")\n\n## Installation\n\n> Nautobot Secrets Providers is compatible with Nautobot 1.2.0 and higher. Support for Thycotic Secret Server requires Python 3.7 or later.\n\nThe package is available as a Python package in PyPI and can be installed with `pip`:\n\n```no-highlight\npip install nautobot-secrets-providers\n```\n\nYou may quickly install all of the dependent libraries using the following command, however, this is *not recommended for production deployments* as it will install extras that you may not need:\n\n```no-highlight\npip install nautobot-secrets-providers[all]\n```\n\n### Dependencies\n\nFor this plugin to operate you must install at least one of the dependent libraries required by the secrets providers.\n\n**You must install the dependencies for at least one of the supported secrets providers or a `RuntimeError` will be raised.**\n\n#### AWS Secrets Manager, AWS System Manager Parameter Store\n\nThe AWS Secrets Manager and Parameter Store providers require the `boto3` library. This can be easily installed along with the plugin using the following command:\n\n```no-highlight\npip install nautobot-secrets-providers[aws]\n```\n\n#### HashiCorp Vault\n\nThe HashiCorp Vault provider requires the `hvac` library. This can easily be installed along with the plugin using the following command:\n\n```no-highlight\npip install nautobot-secrets-providers[hashicorp]\n```\n\n#### Delinea/Thycotic Secret Server\n\nThe Delinea/Thycotic Secret Server provider requires the `python-tss-sdk` library. This can easily be installed along with the plugin using the following command:\n\n```no-highlight\npip install nautobot-secrets-providers[thycotic]\n```\n\n### Enabling Secrets Providers\n\nTo ensure Nautobot Secrets Providers is automatically re-installed during future upgrades, create a file named `local_requirements.txt` (if not already existing) in the Nautobot root directory (alongside `requirements.txt`) and list the `secrets` package:\n\n```no-highlight\necho nautobot-secrets-providers >> local_requirements.txt\n```\n\nOnce installed, the plugin needs to be enabled in your `nautobot_config.py`:\n\n```python\n# In your nautobot_config.py\nPLUGINS = [\"nautobot_secrets_providers\"]\n\n# PLUGINS_CONFIG = {\n# \"nautobot_secrets_providers\": {\n# See below for how to configure Nautobot for each secrets provider!\n# }\n# }\n```\n\n## Usage\n\nBefore you proceed, you must have **at least one** of the dependent libaries installed as detailed above.\n\nPlease do not enable this plugin until you are able to install the dependencies, as it will block Nautobot from starting.\n\n### AWS Secrets Manager, AWS System Manager Parameter Store\n\n#### Authentication\n\nNo configuration is needed within Nautobot for this provider to operate. Instead you must provide [AWS credentials in one of the methods supported by the `boto3` library](https://boto3.amazonaws.com/v1/documentation/api/latest/guide/credentials.html#configuring-credentials).\n\nBoto3 credentials can be configured in multiple ways (eight as of this writing) that are mirrored here:\n\n1. Passing credentials as parameters in the `boto.client()` method\n2. Passing credentials as parameters when creating a Session object\n3. Environment variables\n4. Shared credential file (`~/.aws/credentials`)\n5. AWS config file (`~/.aws/config`)\n6. Assume Role provider\n7. Boto2 config file (`/etc/boto.cfg` and `~/.boto`)\n8. Instance metadata service on an Amazon EC2 instance that has an IAM role configured.\n\n**The AWS Secrets Manager provider only supports methods 3-8. Methods 1 and 2 ARE NOT SUPPORTED at this time.**\n\nWe highly recommend you defer to using environment variables for your deployment as specified in the credentials documentation linked above. The values specified in the linked documentation should be [set within your `~.bashrc`](https://nautobot.readthedocs.io/en/latest/installation/nautobot/#update-the-nautobot-bashrc) (or similar profile) on your system.\n\n#### Configuration\n\nThis is an example based on our recommended deployment pattern in the section above (item 3) that is using [environment variables](https://boto3.amazonaws.com/v1/documentation/api/latest/guide/credentials.html#environment-variables). You will need to set these in the environment prior to starting Nautobot:\n\n```no-highlight\nexport AWS_ACCESS_KEY_ID=foo # The access key for your AWS account.\nexport AWS_SECRET_ACCESS_KEY=bar # The secret key for your AWS account.\n```\n\nPlease refer to the [Nautobot documentation on updating your `.bashrc`](https://nautobot.readthedocs.io/en/latest/installation/nautobot/#update-the-nautobot-bashrc) for how to do this for production Nautobot deployments.\n\n### HashiCorp Vault\n\n#### Configuration\n\nYou must provide a mapping in `PLUGINS_CONFIG` within your `nautobot_config.py`, for example:\n\n```python\nPLUGINS_CONFIG = {\n \"nautobot_secrets_providers\": {\n \"hashicorp_vault\": {\n \"url\": \"http://localhost:8200\",\n \"auth_method\": \"token\",\n \"token\": os.getenv(\"NAUTOBOT_HASHICORP_VAULT_TOKEN\"),\n }\n },\n}\n```\n\n- `url` - (required) The URL to the HashiCorp Vault instance (e.g. `http://localhost:8200`).\n- `auth_method` - (optional / defaults to \"token\") The method used to authenticate against the HashiCorp Vault instance. Either `\"approle\"`, `\"aws\"`, `\"kubernetes\"` or `\"token\"`. For information on using AWS authentication with vault see the [authentication](#authentication) section above.\n- `ca_cert` - (optional) Path to a PEM formatted CA certificate to use when verifying the Vault connection. Can alternatively be set to `False` to ignore SSL verification (not recommended) or `True` to use the system certificates.\n- `default_mount_point` - (optional / defaults to \"secret\") The default mount point of the K/V Version 2 secrets engine within Hashicorp Vault.\n- `k8s_token_path` - (optional) Path to the kubernetes service account token file. Defaults to \"/var/run/secrets/kubernetes.io/serviceaccount/token\".\n- `token` - (optional) Required when `\"auth_method\": \"token\"` or `auth_method` is not supplied. The token for authenticating the client with the HashiCorp Vault instance. As with other sensitive service credentials, we recommend that you provide the token value as an environment variable and retrieve it with `{\"token\": os.getenv(\"NAUTOBOT_HASHICORP_VAULT_TOKEN\")}` rather than hard-coding it in your `nautobot_config.py`.\n- `role_name` - (optional) Required when `\"auth_method\": \"kubernetes\"`, optional when `\"auth_method\": \"aws\"`. The Vault Kubernetes role or Vault AWS role to assume which the pod's service account has access to.\n- `role_id` - (optional) Required when `\"auth_method\": \"approle\"`. As with other sensitive service credentials, we recommend that you provide the role_id value as an environment variable and retrieve it with `{\"role_id\": os.getenv(\"NAUTOBOT_HASHICORP_VAULT_ROLE_ID\")}` rather than hard-coding it in your `nautobot_config.py`.\n- `secret_id` - (optional) Required when `\"auth_method\": \"approle\"`.As with other sensitive service credentials, we recommend that you provide the secret_id value as an environment variable and retrieve it with `{\"secret_id\": os.getenv(\"NAUTOBOT_HASHICORP_VAULT_SECRET_ID\")}` rather than hard-coding it in your `nautobot_config.py`.\n- `login_kwargs` - (optional) Additional optional parameters to pass to the login method for [`approle`](https://hvac.readthedocs.io/en/stable/source/hvac_api_auth_methods.html#hvac.api.auth_methods.AppRole.login), [`aws`](https://hvac.readthedocs.io/en/stable/source/hvac_api_auth_methods.html#hvac.api.auth_methods.Aws.iam_login) and [`kubernetes`](https://hvac.readthedocs.io/en/stable/source/hvac_api_auth_methods.html#hvac.api.auth_methods.Kubernetes.login) authentication methods.\n\n### Delinea/Thycotic Secret Server (TSS)\n\nThe Delinea/Thycotic Secret Server plugin includes two providers:\n\n- **`Thycotic Secret Server by ID`**\n\n This provider uses the `Secret ID` to specifiy the secret that is selected. The `Secret ID` is displayed in the browser's URL field if you `Edit` the data in Thycotic Secret Server.\n\n - Example:\n\n The url is: _https://pw.example.local/SecretServer/app/#/secret/**1234**/general_\n\n In this example the value for `Secret ID` is **1234**.\n\n- **`Thycotic Secret Server by Path`**\n\n This provider allows to select the secret by folder-path and secret-name. The path delimiter is a '\\\\'.\n\n The `Secret path` is displayed as page header when `Edit` a secret.\n\n - Example:\n\n The header is: **NET-Automation > Nautobot > My-Secret**\n\n In this example the value for `Secret path` is **`\\NET-Automation\\Nautobot\\My-Secret`**.\n\n#### Configuration\n\n```python\nPLUGINS_CONFIG = {\n \"nautobot_secrets_providers\": {\n \"thycotic\": { # https://github.com/thycotic/python-tss-sdk\n \"base_url\": os.getenv(\"SECRET_SERVER_BASE_URL\", None),\n \"ca_bundle_path\": os.getenv(\"REQUESTS_CA_BUNDLE\", None),\n \"cloud_based\": is_truthy(os.getenv(\"SECRET_SERVER_IS_CLOUD_BASED\", \"False\")),\n \"domain\": os.getenv(\"SECRET_SERVER_DOMAIN\", None),\n \"password\": os.getenv(\"SECRET_SERVER_PASSWORD\", None),\n \"tenant\": os.getenv(\"SECRET_SERVER_TENANT\", None),\n \"token\": os.getenv(\"SECRET_SERVER_TOKEN\", None),\n \"username\": os.getenv(\"SECRET_SERVER_USERNAME\", None),\n },\n }\n}\n```\n- `base_url` - (required) The Secret Server base_url. _e.g.'https://pw.example.local/SecretServer'_\n- `ca_bundle_path` - (optional) When using self-signed certificates this variable must be set to a file containing the trusted certificates (in .pem format). _e.g. '/etc/ssl/certs/ca-bundle.trust.crt'_.\n- `cloud_based` - (optional) Set to \"True\" if Secret Server Cloud should be used. (Default: \"False\").\n- `domain` - (optional) Required for 'Domain Authorization'\n- `password` - (optional) Required for 'Secret Server Cloud', 'Password Authorization', 'Domain Authorization'.\n- `tenant` - (optional) Required for 'Domain Authorization'.\n- `token` - (optional) Required for 'Access Token Authorization'.\n- `username` - (optional) Required for 'Secret Server Cloud', 'Password Authorization', 'Domain Authorization'.\n\n## Contributing\n\nPull requests are welcomed and automatically built and tested against multiple version of Python and multiple version of Nautobot through GitHub Actions.\n\nThe project is packaged with a light development environment based on `docker-compose` to help with the local development of the project and to run the tests within GitHub Actions.\n\nThe project is following Network to Code software development guidelines and is leveraging:\n\n- Black, Pylint, Bandit and pydocstyle for Python linting and formatting.\n- Django unit test to ensure the plugin is working properly.\n\n### Development Environment\n\nThe development environment can be used in 2 ways. First, with a local poetry environment if you wish to develop outside of Docker with the caveat of using external services provided by Docker for PostgreSQL and Redis. Second, all services are spun up using Docker and a local mount so you can develop locally, but Nautobot is spun up within the Docker container.\n\nBelow is a quick start guide if you're already familiar with the development environment provided, but if you're not familiar, please read the [Getting Started Guide](GETTING_STARTED.md).\n\n#### Invoke\n\nThe [PyInvoke](http://www.pyinvoke.org/) library is used to provide some helper commands based on the environment. There are a few configuration parameters which can be passed to PyInvoke to override the default configuration:\n\n* `nautobot_ver`: the version of Nautobot to use as a base for any built docker containers (default: 1.2.0)\n* `project_name`: the default docker compose project name (default: nautobot_secrets_providers)\n* `python_ver`: the version of Python to use as a base for any built docker containers (default: 3.7)\n* `local`: a boolean flag indicating if invoke tasks should be run on the host or inside the docker containers (default: False, commands will be run in docker containers)\n* `compose_dir`: the full path to a directory containing the project compose files\n* `compose_files`: a list of compose files applied in order (see [Multiple Compose files](https://docs.docker.com/compose/extends/#multiple-compose-files) for more information)\n\nUsing **PyInvoke** these configuration options can be overridden using [several methods](http://docs.pyinvoke.org/en/stable/concepts/configuration.html). Perhaps the simplest is simply setting an environment variable `INVOKE_NAUTOBOT_SECRETS_PROVIDERS_VARIABLE_NAME` where `VARIABLE_NAME` is the variable you are trying to override. The only exception is `compose_files`, because it is a list it must be overridden in a yaml file. There is an example `invoke.yml` (`invoke.example.yml`) in this directory which can be used as a starting point.\n\n#### Local Poetry Development Environment\n\n1. Copy `development/creds.example.env` to `development/creds.env` (This file will be ignored by Git and Docker)\n2. Uncomment the `POSTGRES_HOST`, `REDIS_HOST`, and `NAUTOBOT_ROOT` variables in `development/creds.env`\n3. Create an `invoke.yml` file with the following contents at the root of the repo (you can also `cp invoke.example.yml invoke.yml` and edit as necessary):\n\n```yaml\n---\nnautobot_secrets_providers:\n local: true\n compose_files:\n - \"docker-compose.requirements.yml\"\n```\n\n3. Run the following commands:\n\n```shell\npoetry shell\npoetry install --extras nautobot\nexport $(cat development/dev.env | xargs)\nexport $(cat development/creds.env | xargs)\ninvoke start && sleep 5\nnautobot-server migrate\n```\n\n> If you want to develop on the latest develop branch of Nautobot, run the following command: `poetry add --optional git+https://github.com/nautobot/nautobot@develop`. After the `@` symbol must match either a branch or a tag.\n\n4. You can now run nautobot-server commands as you would from the [Nautobot documentation](https://nautobot.readthedocs.io/en/latest/) for example to start the development server:\n\n```shell\nnautobot-server runserver 0.0.0.0:8080 --insecure\n```\n\nNautobot server can now be accessed at [http://localhost:8080](http://localhost:8080).\n\nIt is typically recommended to launch the Nautobot **runserver** command in a separate shell so you can keep developing and manage the webserver separately.\n\n#### Docker Development Environment\n\nThis project is managed by [Python Poetry](https://python-poetry.org/) and has a few requirements to setup your development environment:\n\n1. Install Poetry, see the [Poetry Documentation](https://python-poetry.org/docs/#installation) for your operating system.\n2. Install Docker, see the [Docker documentation](https://docs.docker.com/get-docker/) for your operating system.\n\nOnce you have Poetry and Docker installed you can run the following commands to install all other development dependencies in an isolated python virtual environment:\n\n```shell\npoetry shell\npoetry install\ninvoke start\n```\n\nNautobot server can now be accessed at [http://localhost:8080](http://localhost:8080).\n\nTo either stop or destroy the development environment use the following options.\n\n- **invoke stop** - Stop the containers, but keep all underlying systems intact\n- **invoke destroy** - Stop and remove all containers, volumes, etc. (This results in data loss due to the volume being deleted)\n\n### CLI Helper Commands\n\nThe project is coming with a CLI helper based on [invoke](http://www.pyinvoke.org/) to help setup the development environment. The commands are listed below in 3 categories `dev environment`, `utility` and `testing`.\n\nEach command can be executed with `invoke <command>`. Environment variables `INVOKE_NAUTOBOT_SECRETS_PROVIDERS_PYTHON_VER` and `INVOKE_NAUTOBOT_SECRETS_PROVIDERS_NAUTOBOT_VER` may be specified to override the default versions. Each command also has its own help `invoke <command> --help`\n\n#### Docker dev environment\n\n```no-highlight\n build Build all docker images.\n debug Start Nautobot and its dependencies in debug mode.\n destroy Destroy all containers and volumes.\n restart Restart Nautobot and its dependencies.\n start Start Nautobot and its dependencies in detached mode.\n stop Stop Nautobot and its dependencies.\n```\n\n#### Utility\n\n```no-highlight\n cli Launch a bash shell inside the running Nautobot container.\n create-user Create a new user in django (default: admin), will prompt for password.\n makemigrations Run Make Migration in Django.\n nbshell Launch a nbshell session.\n```\n\n#### Testing\n\n```no-highlight\n bandit Run bandit to validate basic static code security analysis.\n black Run black to check that Python files adhere to its style standards.\n flake8 This will run flake8 for the specified name and Python version.\n pydocstyle Run pydocstyle to validate docstring formatting adheres to NTC defined standards.\n pylint Run pylint code analysis.\n tests Run all tests for this plugin.\n unittest Run Django unit tests for the plugin.\n```\n\n### Project Documentation\n\nProject documentation is generated by [mkdocs](https://www.mkdocs.org/) from the documentation located in the docs folder. You can configure [readthedocs.io](https://readthedocs.io/) to point at this folder in your repo. For development purposes a `docker-compose.docs.yml` is also included. A container hosting the docs will be started using the invoke commands on [http://localhost:8001](http://localhost:8001), as changes are saved the docs will be automatically reloaded.\n\n### Developing Against Secrets Backends\n\n#### AWS Secrets Manager\n\nThis assumes you are logged into the AWS Console.\n\n- Navigate to AWS Console\n- Navigate to AWS Secrets Manager\n- Click \"Store a new secret\"\n - Select \u201cOther type of secrets\u201d\n - Use Secret key/value\n - Enter `hello=world`\n - Use \"DefaultEncryptionKey\" for now\n - Click \"Next\"\n - Under \"Secret name\" fill out `hello`\n - Click \"Next\"\n - Under \"Configure automatic rotation\"\n - Leave it as \"Disable automatic rotation\"\n - On \"Store a new secret\"\n - Copy the sample code (see below)\n - Click \"Store\"\n- END\n\n##### Install the AWS CLI\n\nNext, install the [AWS CLI](https://aws.amazon.com/cli/).\n\nOn MacOS, this can be done using `brew install awscli`:\n\n```\nbrew install awscli\n```\n\nOn Linux, you will need to run a `curl` command (This assumes x86. Please see the docs for [AWS CLI on\nLinux](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2-linux.html) for ARM and other options):\n\n```\ncurl \"https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip\" -o \"awscliv2.zip\"\nunzip awscliv2.zip\nsudo ./aws/install\n```\n\n##### Configure the AWS CLI\n\nAfter installing the AWS CLI, you will need to configure it for authentication.\n\nYou may use an existing AWS access key or create a new one. For these instructions we cover the need to create a new access key that can be used for this.\n\n- Navigate to AWS Console\n- Click your username\n - Click \"My security credentials\"\n - Click \"create access key\"\n- Save your \"Access key ID\" and \"Secret access key\" for use when configuring the AWS CLI\n\nNow configure the CLI:\n\n- Run `aws configure`\n- Enter your credentials from above\n- Choose your region\n- Use output format: `json`\n\nExample:\n\n```no-highlight\n$ aws configure\nAWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE\nAWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY\nDefault region name [None]: us-east-2\nDefault output format [None]: json\n```\n\nNow you are ready to use the sample code to retrieve your secret from AWS Secrets Manager!\n\n##### Sample Code\n\nMake sure that the `boto3` client is installed:\n\n```no-highlight\npoetry install --extras aws\n```\n\nNext, save this as `aws_secrets.py`:\n\n```python\n# Use this code snippet in your app.\n# If you need more information about configurations or implementing the sample code, visit the AWS docs:\n# https://aws.amazon.com/developers/getting-started/python/\n\nimport boto3\nimport base64\nfrom botocore.exceptions import ClientError\n\n\ndef get_secret():\n\n secret_name = \"hello\"\n region_name = \"us-east-2\"\n\n # Create a Secrets Manager client\n session = boto3.session.Session()\n client = session.client(\n service_name='secretsmanager',\n region_name=region_name\n )\n\n # In this sample we only handle the specific exceptions for the 'GetSecretValue' API.\n # See https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html\n # We rethrow the exception by default.\n\n try:\n get_secret_value_response = client.get_secret_value(\n SecretId=secret_name\n )\n except ClientError as e:\n if e.response['Error']['Code'] == 'DecryptionFailureException':\n # Secrets Manager can't decrypt the protected secret text using the provided KMS key.\n # Deal with the exception here, and/or rethrow at your discretion.\n raise e\n elif e.response['Error']['Code'] == 'InternalServiceErrorException':\n # An error occurred on the server side.\n # Deal with the exception here, and/or rethrow at your discretion.\n raise e\n elif e.response['Error']['Code'] == 'InvalidParameterException':\n # You provided an invalid value for a parameter.\n # Deal with the exception here, and/or rethrow at your discretion.\n raise e\n elif e.response['Error']['Code'] == 'InvalidRequestException':\n # You provided a parameter value that is not valid for the current state of the resource.\n # Deal with the exception here, and/or rethrow at your discretion.\n raise e\n elif e.response['Error']['Code'] == 'ResourceNotFoundException':\n # We can't find the resource that you asked for.\n # Deal with the exception here, and/or rethrow at your discretion.\n raise e\n else:\n # Decrypts secret using the associated KMS CMK.\n # Depending on whether the secret is a string or binary, one of these fields will be populated.\n if 'SecretString' in get_secret_value_response:\n secret = get_secret_value_response['SecretString']\n else:\n decoded_binary_secret = base64.b64decode(get_secret_value_response['SecretBinary'])\n\n # Your code goes here.\n\n# ^ Above was generated by AWS.\n\n# This was added by us so you can run this as a script:\nif __name__ == \"__main__\":\n secret = get_secret()\n print(f\"Secret = {secret}\")\n```\n\nRun it with `python aws_secrets.py`:\n\n```\n$ python aws_secrets.py\nSecret = {\"hello\":\"world\"}.\n```\n\nNote that this blob is JSON and will also need to be decoded if you want to extract the value.\n\n#### HashiCorp Vault\n\nMake sure that the `hvac` client is installed:\n\n```no-highlight\npoetry install --extras hashicorp\n```\n\n##### Start Services with Docker\n\n```no-highlight\ninvoke start\n```\n\n##### Set an alias to work with `vault`\n\nThis will allow you to easily run the CLI command from within the container:\n\n```no-highlight\nalias vault=\"docker exec -it nautobot_secrets_providers_vault_1 vault\"\n```\n\nInteract with the Vault vi CLI (via `docker exec` into the container from localhost):\n\n```no-highlight\n$ vault status\nKey Value\n--- -----\nSeal Type shamir\nInitialized true\nSealed false\nTotal Shares 1\nThreshold 1\nVersion 1.8.2\nStorage Type inmem\nCluster Name vault-cluster-35c5d319\nCluster ID 2611f99c-a6de-a883-1fcc-bfffdc0217bc\nHA Enabled false\n```\n\n##### Using the Python `hvac` Library\n\nThis establishes a client, creates a basic key/value secret (`hello=world`) at the path `hello`, and then retrieves the data from the `hello` key at the secret path `hello`.\n\n> This is equivalent to the command `vault kv get -field hello secret/hello`.\n\n```python\nIn [1]: import hvac\n\nIn [2]: client = hvac.Client(url=\"http://localhost:8200\", token=\"nautobot\")\n\nIn [3]: client.secrets.kv.create_or_update_secret(path=\"hello\", secret=dict(hello=\"world\"))\nOut[3]:\n{'request_id': 'c4709868-c08f-4cb1-ab8c-605c58b82f3f',\n 'lease_id': '',\n 'renewable': False,\n 'lease_duration': 0,\n 'data': {'created_time': '2021-09-16T23:21:07.5564132Z',\n 'deletion_time': '',\n 'destroyed': False,\n 'version': 2},\n 'wrap_info': None,\n 'warnings': None,\n 'auth': None}\n\nIn [4]: client.secrets.kv.read_secret(path=\"hello\")[\"data\"][\"data\"][\"hello\"]\nOut[4]: 'world'\n```\n\n## Questions\n\nFor any questions or comments, please check the [FAQ](FAQ.md) first and feel free to swing by the [Network to Code Slack workspace](https://networktocode.slack.com/) (channel `#networktocode`).\n\n",
"bugtrack_url": null,
"license": "Apache-2.0",
"summary": "Nautobot Secrets Providers Plugin.",
"version": "1.4.1",
"split_keywords": [
"nautobot",
"nautobot-plugin"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "056e3c850eb0327acdf07228de777ea16faad4f7360e325caca174ed10fa15e5",
"md5": "2e08495d63af0cf2859d67a36d3031c3",
"sha256": "8dc651f25b42459d5bc3f985bf4f3a2aeffa076a379ae9051d7ac1a0168ad062"
},
"downloads": -1,
"filename": "check_nautobot_secrets_providers-1.4.1-py3-none-any.whl",
"has_sig": false,
"md5_digest": "2e08495d63af0cf2859d67a36d3031c3",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.7,<4.0",
"size": 40640,
"upload_time": "2023-03-24T13:42:19",
"upload_time_iso_8601": "2023-03-24T13:42:19.747256Z",
"url": "https://files.pythonhosted.org/packages/05/6e/3c850eb0327acdf07228de777ea16faad4f7360e325caca174ed10fa15e5/check_nautobot_secrets_providers-1.4.1-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "bceeb6a5fa0e7c5a26408053306db0ca13b783bb1e1ab5ada1faeb0e3e799b8c",
"md5": "c1a6f055db0a74209ef754c7263e8c09",
"sha256": "875d9c3705a2027720bc932c3f48de3688ccdbf6255785a552109426f149e0c9"
},
"downloads": -1,
"filename": "check_nautobot_secrets_providers-1.4.1.tar.gz",
"has_sig": false,
"md5_digest": "c1a6f055db0a74209ef754c7263e8c09",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.7,<4.0",
"size": 32976,
"upload_time": "2023-03-24T13:42:21",
"upload_time_iso_8601": "2023-03-24T13:42:21.385452Z",
"url": "https://files.pythonhosted.org/packages/bc/ee/b6a5fa0e7c5a26408053306db0ca13b783bb1e1ab5ada1faeb0e3e799b8c/check_nautobot_secrets_providers-1.4.1.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2023-03-24 13:42:21",
"github": true,
"gitlab": false,
"bitbucket": false,
"github_user": "nautobot",
"github_project": "nautobot-plugin-secrets-providers",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"lcname": "check-nautobot-secrets-providers"
}