fidelius


Namefidelius JSON
Version 2.0.1 PyPI version JSON
download
home_pageNone
SummaryThe Fidelius Charm! (keeping things secret)
upload_time2024-11-05 12:36:47
maintainerNone
docs_urlNone
authorNone
requires_pythonNone
licenseMIT License Copyright (c) 2022-2024 CCP Games Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
keywords parameter store aws secrets tools ccp utils hashicorp vault
VCS
bugtrack_url
requirements ccptools boto3 hvac
Travis-CI No Travis.
coveralls test coverage No coveralls.
            # The Fidelius Charm - Keeping Things Secret

Fidelius is a package for fetching (and managing) secrets and other 
parameters from AWS' Parameter Store.

This is designed with CCP Borg Application Framework and the Alviss config 
package in mind but should work for other cases as well.

**IMPORTANT:** This has been migrated more-or-less _"as-is"_ from CCP Tool's 
internal repo and hasn't yet been given the love it needs to be properly 
open-sourced and user friendly for other people _(unless you read though the 
code and find it perfectly fits your use case)_.

**ALSO IMPORTANT:** This README hasn't been updated to reflect changes in 
version 1.0.0 yet. Sowwie! :-/

## What should be stored with Fidelius

All secrets, always, as Secret Parameters (they are stored as encrypted)!

This includes (but is not limited to):

- Passwords of any kind
- Secret/Access Keys
- API Tokens
- Shared Secrets (e.g. JWT secrets)
- Encryption keys and/or salts
- ...basically any credentials or stuff that needs to remain secret!

Also, it's prudent to store any credentials that are related 
(directly or indirectly) to the secrets stored, e.g.:

- Usernames
- Resource identifiers (DB names and such)
- Hosts / Virtual Hosts
- ...stuff like that!

The reasoning is roughly this; if/when the secrets being stored need to be 
changed or rotated, there is often a need to change other credential related 
things e.g. a username if we're performing a rolling/overlapping rotation 
or a host if changing an API token and pointing to a different URL and so on.

Basically, imagine that someone gets a hold of all of our secrets and we 
need to rotate them as soon as possible, being able to change both a 
password and its username and host from the same place (Fidelius or AWS 
Parameter Store) in a single operation WITHOUT needing to deploy anything 
new or changed is critical and if we need to do this for hundreds of 
services at once, every second counts!


## How to Use / Best Practices

What you'll need first:

- An AWS account
  - Fidelius is designed to work within an AWS environment, fetching secrets 
    and parameters from the Parameter Store of AWS' Systems Manager utility 
    and using the AWS Key Management Service (KMS) for secret 
    encryption/decryption.
- A dedicated key in KMS' for encryption and decryption of secrets
  - Preferably with the alias `fidelius-key` but that's configurable via the 
    `FIDELIUS_AWS_KEY_ARN` environment variable
- A few different service users with different permission policies and their 
  AWS security credentials / access keys
  - One for administrating secrets/parameters
  - One for local development
  - One for your CI/CD system to use (if needed)
  - One for deployed applications to use in runtime


### The Admin User/Policy

To administrate parameters you'll need credentials with the following 
permissions:

- `kms:Decrypt` & `kms:Encrypt`
  - Bind this to the encryption key's ARN, e.g. `arn:aws:kms:eu-west-1:AWS_ACCOUNT_ID:key/fidelius-key`
    - Where `AWS_ACCOUNT_ID` is your AWS account number
    - Change the region as needed
- Everything to do with parameters in the SSM:
  - `ssm:LabelParameterVersion`
  - `ssm:GetParameterHistory`
  - `ssm:GetParameters`
  - `ssm:GetParameter`
  - `ssm:DeleteParameters`
  - `ssm:PutParameter`
  - `ssm:DeleteParameter`
  - `ssm:RemoveTagsFromResource`
  - `ssm:AddTagsToResource`
  - `ssm:ListTagsForResource`
  - `ssm:GetParametersByPath`
  - Bind this to the ARN of the `fidelius` path in the Parameter Store
    - `arn:aws:ssm:eu-west-1:AWS_ACCOUNT_ID:parameter/fidelius/*`
      - Where `AWS_ACCOUNT_ID` is your AWS account number
      - Change the region as needed
- It's also very wise to limit the use of this user/policy to a fixed IP or 
  set of IP address if possible from which you'll be performing admin 
  operations on secrets and parameters

To administrate (create/edit) parameters and secrets set the credentials for 
this account to these environment variables and follow the directions in the 
[Creating Parameters and Secrets Locally](#creating-parameters-and-secrets-locally) chapter.
- `FIDELIUS_AWS_ACCESS_KEY_ID`
- `FIDELIUS_AWS_SECRET_ACCESS_KEY`

**Note**: You can also just give these permissions to your personal AWS 
account and use those credentials if you prefer but having a dedicated 
service account for administrating these is highly recommended.


### The Local Development User/Policy

Local developers will need to fetch dev parameters and secrets for things to 
run so they'll need the following action permissions:

- `kms:Decrypt`
- `ssm:GetParametersByPath`
- `ssm:GetParameters`
- `ssm:GetParameter`

These need to be bound to the encryption key and parameter store ARNs, e.g.:

- `arn:aws:kms:eu-west-1:AWS_ACCOUNT_ID:key/fidelius-key`
- `arn:aws:ssm:eu-west-1:AWS_ACCOUNT_ID:parameter/fidelius/*`
  - Where `AWS_ACCOUNT_ID` is your AWS account number
  - Change the region as needed

**Note**: You can also just give these permissions to developers personal AWS 
account and use those credentials.

**Another Note**: If I remember correctly, then it's also possible to make the 
resource binding on the parameter store path more constricting, e.g. by 
limiting it to an application and/or runtime environment, thus preventing 
production secrets from being accessible by curious developers, like:
`arn:aws:ssm:eu-west-1:AWS_ACCOUNT_ID:parameter/fidelius/*/local/mycoolapp/*`


### The CI/CD User/Policy

This one may not be needed depending on your setup and system but the point 
is that sometimes CI/CD pipelines may need to access parameters and secrets 
in order to run automated unit and/or integration tests.

In that case, just make a service user/policy similar to the Local 
Development one but it's highly recommended to restrict the credentials 
usage to the IP or IP range of the CI/CD system and even to treat testing as 
its own "runtime environment" (like `local`, `test`, `prod`, etc.) and limit 
the parameter store ARN to that as well as either application and/or 
application group:
`arn:aws:ssm:eu-west-1:AWS_ACCOUNT_ID:parameter/fidelius/mygroup/unittest/*`


### The Runtime Application User/Policy

This one is intended for the applications to use in its runtime environment 
(e.g. a Kubernetes Cluster or EC2 machine or whatever) and it should be 
restricted to the IP address or range of that environment, such that even if 
the credentials were to be exposed, they'd be useless unless used from 
within that runtime environment.

Again the permissions needed are just the ability to get parameters and 
decrypt them using the designated key so:

- `kms:Decrypt`
- `ssm:GetParametersByPath`
- `ssm:GetParameters`
- `ssm:GetParameter`

These need to be bound to the encryption key and parameter store ARNs, e.g.:

- `arn:aws:kms:eu-west-1:AWS_ACCOUNT_ID:key/fidelius-key`
- `arn:aws:ssm:eu-west-1:AWS_ACCOUNT_ID:parameter/fidelius/*`
  - Where `AWS_ACCOUNT_ID` is your AWS account number
  - Change the region as needed

**Note**: It's highly recommended to have at least one of these per 
"application group" (e.g. a few microservice applications servicing a single 
business domain) or even one per application, and restricting the parameter 
store ARN to match. 


## Configuration Parameters

Set one of the AWS Secret Credentials from above to the following 
Environmental variables in order to give Fidelius access to what it needs: 

- `FIDELIUS_AWS_ACCESS_KEY_ID`
- `FIDELIUS_AWS_SECRET_ACCESS_KEY`

If these are not present then Fidilius will try and use these instead:

- `AWS_ACCESS_KEY_ID`
- `AWS_SECRET_ACCESS_KEY`

These should VERY preferably be the ONLY credentials in your project and 
stored in a secure and encrypted way up-until they're needed for deployment 
and such. 

You will also need to supply the ARN of the decryption/encryption key via 
environment variable:

- `FIDELIUS_AWS_KEY_ARN`
  - E.g. `arn:aws:kms:eu-west-1:123456789:alias/fidelius-key'` 

The following Environment Variables can also be set to override the defaults:

- `AWS_DEFAULT_REGION`: This is `eu-west-1` by default in Fidelius and 
  doesn't need to be set.


## Using Fidelius with Alviss

Use the `${__FID__:parameter_name}` expression withing the application config 
files for application specific parameters and 
`$ {__FID__:shared_group_name:parameter_name}` for group shared parameters.

```yaml
app:
  module_name: exampleapp
  slug: example-app  # This is used by Fidelius
  group: mygroup  # This is required now!
  env: prod  # Runtime environment from Environment Var

publisher:
  connection:
    # Application Specific Parameters
    # This will be fetched from:
    # /fidelius/mygroup/prod/apps/example-app/DB_PASSWORD
    # ...or if no "prod" values are found from:
    # /fidelius/mygroup/default/apps/example-app/DB_PASSWORD
    password: ${__FID__:DB_PASSWORD}
    
    # Shared Group Parameters
    # This will be fetched from:
    # /fidelius/mygroup/prod/shared/rabbitmq/DB_PASSWORD
    # ...or if no "prod" values are found from:
    # /fidelius/mygroup/default/shared/rabbitmq/DB_PASSWORD
    host: ${__FID__:rabbitmq:RABBIT_MQ_HOST}
```

## Using Fidelius in Other Applications

For general usage you can use the same expressions as above in any config you 
use and then have Fidelius replace them once you've read them in like so:

```json
{
  "someconfig": {
    "somepassword": "${__FID__:my_cool_password}"
  }
}
```

Then in Python:

```python
from fidelius.fideliusapi import ParameterStore
from fidelius.fideliusapi import fidelius_replace

# Read config from config somehow...
pass_from_conf = read_my_config('somepassword')

# Create the Parameter Store
ps = ParameterStore(app='my_application', 
                    group='my_group',
                    env='test')

# Will read from /fidelius/my_group/test/apps/my_application/my_cool_password
# (...or default)
real_password = fidelius_replace('pass_from_conf', ps)
```

## Using Fidelius Directly

While it makes most sense to use Fidelius to look up values injected from 
configurations you can also just use it directly in code like so:

```python
from fidelius.fideliusapi import ParameterStore

# Create the Parameter Store
ps = ParameterStore(app='my_application', 
                    group='my_group',
                    env='test')

# Will read from /fidelius/my_group/test/apps/my_application/my_cool_password
# (...or default)
real_or_default_password = ps.get('my_cool_password')

# This forcefully skips using the default value:
real_password = ps.get('my_cool_password', no_default=True)

# This fetches from a shared group folder
# Will read from /fidelius/my_group/test/shared/someFolder/shared_password
shared_password = ps.get('shared_password', 'someFolder')
```


## Creating Parameters and Secrets Locally

Set the following Environmental Variables to credentials the [appropriate 
access](#the-admin-userpolicy):

- `FIDELIUS_AWS_ACCESS_KEY_ID`
- `FIDELIUS_AWS_SECRET_ACCESS_KEY`

```python
from fidelius.gateway.paramadmin import *

# Create the Parameter Store Admin
pa = ParameterStoreAdmin(
    app='example-app',  # This is the app slug (not app module name)
    group='mygroup',  # The project group, e.g. "monetization", "px" etc.
    env='default',  # default | dev | test | prod etc.
    owner='batcave',  # The team that owns the applications
)

# Create an application specific parameter
pa.create_param(name='MSG_QUEUE_USERNAME',
                value='svc_username_dev',
                description='Give it a meaningful description')

# This will create the parameter under: 
# /fidelius/mygroup/default/apps/example-app/MSG_QUEUE_USERNAME
```

### And Now A Secret

```python
# Now lets create a secret:
pa.create_secret(name='MSG_QUEUE_USERNAME',
                 value='somekindofpassword',
                 description='Give it a meaningful description')
```

### Override Default Value with Environment Specific Ones

```python
# Now lets create the prod password value that will override the default 
# ones in production...

pa.set_env('prod')  # Change the env to prod instead of default
pa.create_param(name='MSG_QUEUE_USERNAME',
                value='atotallydifferentpassword',
                description='Give it a meaningful description')
```

## Creating Shared Parameters and Secrets Locally

ASet the following Environmental Variables to credentials the [appropriate 
access](#the-admin-userpolicy):

- `FIDELIUS_AWS_ACCESS_KEY_ID`
- `FIDELIUS_AWS_SECRET_ACCESS_KEY`

```python
from fidelius.gateway.paramadmin import *

# Create the Parameter Store Admin
pa = ParameterStoreAdmin(
    app='example-app',  # This isn't used for shared params/secrets
    group='mygroup',  # Shared params/secrets are only shared across a group
    env='default',  # default | dev | test | prod etc.
    owner='batcave',  # The team that owns the group
)

# Create a group shared parameter
pa.create_shared_param(name='RABBIT_MQ_VHOST',
                       folder='rabbitmq',
                       value='rabbitmq-dev.ccptools.cc',
                       description='Give it a meaningful description')

# Create a group shared secret
pa.create_shared_secret(name='RABBIT_MQ_PASSWORD',
                        folder='rabbitmq',
                        value='reallyBadPassword',
                        description='Give it a meaningful description')

# This will create the parameters under: 
# /fidelius/mygroup/default/shared/rabbitmq/RABBIT_MQ_VHOST
# /fidelius/mygroup/default/shared/rabbitmq/RABBIT_MQ_PASSWORD
```

### Override Default Value with Environment Specific Ones

```python
# Now lets create the prod password value that will override the default 
# ones in production...

pa.set_env('prod')  # Change the env to prod instead of default

# Create a group shared parameter for production
pa.create_shared_param(name='RABBIT_MQ_VHOST',
                       folder='rabbitmq',
                       value='rabbitmq-live.ccptools.cc',
                       description='Give it a meaningful description')

# Create a group shared secret for production
pa.create_shared_secret(name='RABBIT_MQ_PASSWORD',
                        folder='rabbitmq',
                        value='notThatMuchBetterPassword',
                        description='Give it a meaningful description')
```


            

Raw data

            {
    "_id": null,
    "home_page": null,
    "name": "fidelius",
    "maintainer": null,
    "docs_url": null,
    "requires_python": null,
    "maintainer_email": null,
    "keywords": "parameter store, aws, secrets, tools, ccp, utils, hashicorp vault",
    "author": null,
    "author_email": "Thordur Matthiasson <thordurm@ccpgames.com>, Kristin Fjola Tomasdottir <kristinf@ccpgames.com>",
    "download_url": null,
    "platform": null,
    "description": "# The Fidelius Charm - Keeping Things Secret\n\nFidelius is a package for fetching (and managing) secrets and other \nparameters from AWS' Parameter Store.\n\nThis is designed with CCP Borg Application Framework and the Alviss config \npackage in mind but should work for other cases as well.\n\n**IMPORTANT:** This has been migrated more-or-less _\"as-is\"_ from CCP Tool's \ninternal repo and hasn't yet been given the love it needs to be properly \nopen-sourced and user friendly for other people _(unless you read though the \ncode and find it perfectly fits your use case)_.\n\n**ALSO IMPORTANT:** This README hasn't been updated to reflect changes in \nversion 1.0.0 yet. Sowwie! :-/\n\n## What should be stored with Fidelius\n\nAll secrets, always, as Secret Parameters (they are stored as encrypted)!\n\nThis includes (but is not limited to):\n\n- Passwords of any kind\n- Secret/Access Keys\n- API Tokens\n- Shared Secrets (e.g. JWT secrets)\n- Encryption keys and/or salts\n- ...basically any credentials or stuff that needs to remain secret!\n\nAlso, it's prudent to store any credentials that are related \n(directly or indirectly) to the secrets stored, e.g.:\n\n- Usernames\n- Resource identifiers (DB names and such)\n- Hosts / Virtual Hosts\n- ...stuff like that!\n\nThe reasoning is roughly this; if/when the secrets being stored need to be \nchanged or rotated, there is often a need to change other credential related \nthings e.g. a username if we're performing a rolling/overlapping rotation \nor a host if changing an API token and pointing to a different URL and so on.\n\nBasically, imagine that someone gets a hold of all of our secrets and we \nneed to rotate them as soon as possible, being able to change both a \npassword and its username and host from the same place (Fidelius or AWS \nParameter Store) in a single operation WITHOUT needing to deploy anything \nnew or changed is critical and if we need to do this for hundreds of \nservices at once, every second counts!\n\n\n## How to Use / Best Practices\n\nWhat you'll need first:\n\n- An AWS account\n  - Fidelius is designed to work within an AWS environment, fetching secrets \n    and parameters from the Parameter Store of AWS' Systems Manager utility \n    and using the AWS Key Management Service (KMS) for secret \n    encryption/decryption.\n- A dedicated key in KMS' for encryption and decryption of secrets\n  - Preferably with the alias `fidelius-key` but that's configurable via the \n    `FIDELIUS_AWS_KEY_ARN` environment variable\n- A few different service users with different permission policies and their \n  AWS security credentials / access keys\n  - One for administrating secrets/parameters\n  - One for local development\n  - One for your CI/CD system to use (if needed)\n  - One for deployed applications to use in runtime\n\n\n### The Admin User/Policy\n\nTo administrate parameters you'll need credentials with the following \npermissions:\n\n- `kms:Decrypt` & `kms:Encrypt`\n  - Bind this to the encryption key's ARN, e.g. `arn:aws:kms:eu-west-1:AWS_ACCOUNT_ID:key/fidelius-key`\n    - Where `AWS_ACCOUNT_ID` is your AWS account number\n    - Change the region as needed\n- Everything to do with parameters in the SSM:\n  - `ssm:LabelParameterVersion`\n  - `ssm:GetParameterHistory`\n  - `ssm:GetParameters`\n  - `ssm:GetParameter`\n  - `ssm:DeleteParameters`\n  - `ssm:PutParameter`\n  - `ssm:DeleteParameter`\n  - `ssm:RemoveTagsFromResource`\n  - `ssm:AddTagsToResource`\n  - `ssm:ListTagsForResource`\n  - `ssm:GetParametersByPath`\n  - Bind this to the ARN of the `fidelius` path in the Parameter Store\n    - `arn:aws:ssm:eu-west-1:AWS_ACCOUNT_ID:parameter/fidelius/*`\n      - Where `AWS_ACCOUNT_ID` is your AWS account number\n      - Change the region as needed\n- It's also very wise to limit the use of this user/policy to a fixed IP or \n  set of IP address if possible from which you'll be performing admin \n  operations on secrets and parameters\n\nTo administrate (create/edit) parameters and secrets set the credentials for \nthis account to these environment variables and follow the directions in the \n[Creating Parameters and Secrets Locally](#creating-parameters-and-secrets-locally) chapter.\n- `FIDELIUS_AWS_ACCESS_KEY_ID`\n- `FIDELIUS_AWS_SECRET_ACCESS_KEY`\n\n**Note**: You can also just give these permissions to your personal AWS \naccount and use those credentials if you prefer but having a dedicated \nservice account for administrating these is highly recommended.\n\n\n### The Local Development User/Policy\n\nLocal developers will need to fetch dev parameters and secrets for things to \nrun so they'll need the following action permissions:\n\n- `kms:Decrypt`\n- `ssm:GetParametersByPath`\n- `ssm:GetParameters`\n- `ssm:GetParameter`\n\nThese need to be bound to the encryption key and parameter store ARNs, e.g.:\n\n- `arn:aws:kms:eu-west-1:AWS_ACCOUNT_ID:key/fidelius-key`\n- `arn:aws:ssm:eu-west-1:AWS_ACCOUNT_ID:parameter/fidelius/*`\n  - Where `AWS_ACCOUNT_ID` is your AWS account number\n  - Change the region as needed\n\n**Note**: You can also just give these permissions to developers personal AWS \naccount and use those credentials.\n\n**Another Note**: If I remember correctly, then it's also possible to make the \nresource binding on the parameter store path more constricting, e.g. by \nlimiting it to an application and/or runtime environment, thus preventing \nproduction secrets from being accessible by curious developers, like:\n`arn:aws:ssm:eu-west-1:AWS_ACCOUNT_ID:parameter/fidelius/*/local/mycoolapp/*`\n\n\n### The CI/CD User/Policy\n\nThis one may not be needed depending on your setup and system but the point \nis that sometimes CI/CD pipelines may need to access parameters and secrets \nin order to run automated unit and/or integration tests.\n\nIn that case, just make a service user/policy similar to the Local \nDevelopment one but it's highly recommended to restrict the credentials \nusage to the IP or IP range of the CI/CD system and even to treat testing as \nits own \"runtime environment\" (like `local`, `test`, `prod`, etc.) and limit \nthe parameter store ARN to that as well as either application and/or \napplication group:\n`arn:aws:ssm:eu-west-1:AWS_ACCOUNT_ID:parameter/fidelius/mygroup/unittest/*`\n\n\n### The Runtime Application User/Policy\n\nThis one is intended for the applications to use in its runtime environment \n(e.g. a Kubernetes Cluster or EC2 machine or whatever) and it should be \nrestricted to the IP address or range of that environment, such that even if \nthe credentials were to be exposed, they'd be useless unless used from \nwithin that runtime environment.\n\nAgain the permissions needed are just the ability to get parameters and \ndecrypt them using the designated key so:\n\n- `kms:Decrypt`\n- `ssm:GetParametersByPath`\n- `ssm:GetParameters`\n- `ssm:GetParameter`\n\nThese need to be bound to the encryption key and parameter store ARNs, e.g.:\n\n- `arn:aws:kms:eu-west-1:AWS_ACCOUNT_ID:key/fidelius-key`\n- `arn:aws:ssm:eu-west-1:AWS_ACCOUNT_ID:parameter/fidelius/*`\n  - Where `AWS_ACCOUNT_ID` is your AWS account number\n  - Change the region as needed\n\n**Note**: It's highly recommended to have at least one of these per \n\"application group\" (e.g. a few microservice applications servicing a single \nbusiness domain) or even one per application, and restricting the parameter \nstore ARN to match. \n\n\n## Configuration Parameters\n\nSet one of the AWS Secret Credentials from above to the following \nEnvironmental variables in order to give Fidelius access to what it needs: \n\n- `FIDELIUS_AWS_ACCESS_KEY_ID`\n- `FIDELIUS_AWS_SECRET_ACCESS_KEY`\n\nIf these are not present then Fidilius will try and use these instead:\n\n- `AWS_ACCESS_KEY_ID`\n- `AWS_SECRET_ACCESS_KEY`\n\nThese should VERY preferably be the ONLY credentials in your project and \nstored in a secure and encrypted way up-until they're needed for deployment \nand such. \n\nYou will also need to supply the ARN of the decryption/encryption key via \nenvironment variable:\n\n- `FIDELIUS_AWS_KEY_ARN`\n  - E.g. `arn:aws:kms:eu-west-1:123456789:alias/fidelius-key'` \n\nThe following Environment Variables can also be set to override the defaults:\n\n- `AWS_DEFAULT_REGION`: This is `eu-west-1` by default in Fidelius and \n  doesn't need to be set.\n\n\n## Using Fidelius with Alviss\n\nUse the `${__FID__:parameter_name}` expression withing the application config \nfiles for application specific parameters and \n`$ {__FID__:shared_group_name:parameter_name}` for group shared parameters.\n\n```yaml\napp:\n  module_name: exampleapp\n  slug: example-app  # This is used by Fidelius\n  group: mygroup  # This is required now!\n  env: prod  # Runtime environment from Environment Var\n\npublisher:\n  connection:\n    # Application Specific Parameters\n    # This will be fetched from:\n    # /fidelius/mygroup/prod/apps/example-app/DB_PASSWORD\n    # ...or if no \"prod\" values are found from:\n    # /fidelius/mygroup/default/apps/example-app/DB_PASSWORD\n    password: ${__FID__:DB_PASSWORD}\n    \n    # Shared Group Parameters\n    # This will be fetched from:\n    # /fidelius/mygroup/prod/shared/rabbitmq/DB_PASSWORD\n    # ...or if no \"prod\" values are found from:\n    # /fidelius/mygroup/default/shared/rabbitmq/DB_PASSWORD\n    host: ${__FID__:rabbitmq:RABBIT_MQ_HOST}\n```\n\n## Using Fidelius in Other Applications\n\nFor general usage you can use the same expressions as above in any config you \nuse and then have Fidelius replace them once you've read them in like so:\n\n```json\n{\n  \"someconfig\": {\n    \"somepassword\": \"${__FID__:my_cool_password}\"\n  }\n}\n```\n\nThen in Python:\n\n```python\nfrom fidelius.fideliusapi import ParameterStore\nfrom fidelius.fideliusapi import fidelius_replace\n\n# Read config from config somehow...\npass_from_conf = read_my_config('somepassword')\n\n# Create the Parameter Store\nps = ParameterStore(app='my_application', \n                    group='my_group',\n                    env='test')\n\n# Will read from /fidelius/my_group/test/apps/my_application/my_cool_password\n# (...or default)\nreal_password = fidelius_replace('pass_from_conf', ps)\n```\n\n## Using Fidelius Directly\n\nWhile it makes most sense to use Fidelius to look up values injected from \nconfigurations you can also just use it directly in code like so:\n\n```python\nfrom fidelius.fideliusapi import ParameterStore\n\n# Create the Parameter Store\nps = ParameterStore(app='my_application', \n                    group='my_group',\n                    env='test')\n\n# Will read from /fidelius/my_group/test/apps/my_application/my_cool_password\n# (...or default)\nreal_or_default_password = ps.get('my_cool_password')\n\n# This forcefully skips using the default value:\nreal_password = ps.get('my_cool_password', no_default=True)\n\n# This fetches from a shared group folder\n# Will read from /fidelius/my_group/test/shared/someFolder/shared_password\nshared_password = ps.get('shared_password', 'someFolder')\n```\n\n\n## Creating Parameters and Secrets Locally\n\nSet the following Environmental Variables to credentials the [appropriate \naccess](#the-admin-userpolicy):\n\n- `FIDELIUS_AWS_ACCESS_KEY_ID`\n- `FIDELIUS_AWS_SECRET_ACCESS_KEY`\n\n```python\nfrom fidelius.gateway.paramadmin import *\n\n# Create the Parameter Store Admin\npa = ParameterStoreAdmin(\n    app='example-app',  # This is the app slug (not app module name)\n    group='mygroup',  # The project group, e.g. \"monetization\", \"px\" etc.\n    env='default',  # default | dev | test | prod etc.\n    owner='batcave',  # The team that owns the applications\n)\n\n# Create an application specific parameter\npa.create_param(name='MSG_QUEUE_USERNAME',\n                value='svc_username_dev',\n                description='Give it a meaningful description')\n\n# This will create the parameter under: \n# /fidelius/mygroup/default/apps/example-app/MSG_QUEUE_USERNAME\n```\n\n### And Now A Secret\n\n```python\n# Now lets create a secret:\npa.create_secret(name='MSG_QUEUE_USERNAME',\n                 value='somekindofpassword',\n                 description='Give it a meaningful description')\n```\n\n### Override Default Value with Environment Specific Ones\n\n```python\n# Now lets create the prod password value that will override the default \n# ones in production...\n\npa.set_env('prod')  # Change the env to prod instead of default\npa.create_param(name='MSG_QUEUE_USERNAME',\n                value='atotallydifferentpassword',\n                description='Give it a meaningful description')\n```\n\n## Creating Shared Parameters and Secrets Locally\n\nASet the following Environmental Variables to credentials the [appropriate \naccess](#the-admin-userpolicy):\n\n- `FIDELIUS_AWS_ACCESS_KEY_ID`\n- `FIDELIUS_AWS_SECRET_ACCESS_KEY`\n\n```python\nfrom fidelius.gateway.paramadmin import *\n\n# Create the Parameter Store Admin\npa = ParameterStoreAdmin(\n    app='example-app',  # This isn't used for shared params/secrets\n    group='mygroup',  # Shared params/secrets are only shared across a group\n    env='default',  # default | dev | test | prod etc.\n    owner='batcave',  # The team that owns the group\n)\n\n# Create a group shared parameter\npa.create_shared_param(name='RABBIT_MQ_VHOST',\n                       folder='rabbitmq',\n                       value='rabbitmq-dev.ccptools.cc',\n                       description='Give it a meaningful description')\n\n# Create a group shared secret\npa.create_shared_secret(name='RABBIT_MQ_PASSWORD',\n                        folder='rabbitmq',\n                        value='reallyBadPassword',\n                        description='Give it a meaningful description')\n\n# This will create the parameters under: \n# /fidelius/mygroup/default/shared/rabbitmq/RABBIT_MQ_VHOST\n# /fidelius/mygroup/default/shared/rabbitmq/RABBIT_MQ_PASSWORD\n```\n\n### Override Default Value with Environment Specific Ones\n\n```python\n# Now lets create the prod password value that will override the default \n# ones in production...\n\npa.set_env('prod')  # Change the env to prod instead of default\n\n# Create a group shared parameter for production\npa.create_shared_param(name='RABBIT_MQ_VHOST',\n                       folder='rabbitmq',\n                       value='rabbitmq-live.ccptools.cc',\n                       description='Give it a meaningful description')\n\n# Create a group shared secret for production\npa.create_shared_secret(name='RABBIT_MQ_PASSWORD',\n                        folder='rabbitmq',\n                        value='notThatMuchBetterPassword',\n                        description='Give it a meaningful description')\n```\n\n",
    "bugtrack_url": null,
    "license": "MIT License  Copyright (c) 2022-2024 CCP Games  Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:  The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.  THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ",
    "summary": "The Fidelius Charm! (keeping things secret)",
    "version": "2.0.1",
    "project_urls": {
        "Changelog": "https://github.com/ccpgames/fidelius/blob/main/CHANGELOG.md",
        "Documentation": "https://github.com/ccpgames/fidelius/blob/main/README.md",
        "Homepage": "https://github.com/ccpgames/fidelius",
        "Issues": "https://github.com/ccpgames/fidelius/issues",
        "Repository": "https://github.com/ccpgames/fidelius.git"
    },
    "split_keywords": [
        "parameter store",
        " aws",
        " secrets",
        " tools",
        " ccp",
        " utils",
        " hashicorp vault"
    ],
    "urls": [
        {
            "comment_text": "",
            "digests": {
                "blake2b_256": "08d17a30451caf9933d10b30f4fea38f8eaf89fbc36f01453fff7458f420db65",
                "md5": "c922f975323d06510fcb2d949dfb44ea",
                "sha256": "ae37953dcc3004c0a3e86cc08c5683f645e9e20215e5c27fcee40121b8025867"
            },
            "downloads": -1,
            "filename": "fidelius-2.0.1-py3-none-any.whl",
            "has_sig": false,
            "md5_digest": "c922f975323d06510fcb2d949dfb44ea",
            "packagetype": "bdist_wheel",
            "python_version": "py3",
            "requires_python": null,
            "size": 27280,
            "upload_time": "2024-11-05T12:36:47",
            "upload_time_iso_8601": "2024-11-05T12:36:47.344757Z",
            "url": "https://files.pythonhosted.org/packages/08/d1/7a30451caf9933d10b30f4fea38f8eaf89fbc36f01453fff7458f420db65/fidelius-2.0.1-py3-none-any.whl",
            "yanked": false,
            "yanked_reason": null
        }
    ],
    "upload_time": "2024-11-05 12:36:47",
    "github": true,
    "gitlab": false,
    "bitbucket": false,
    "codeberg": false,
    "github_user": "ccpgames",
    "github_project": "fidelius",
    "travis_ci": false,
    "coveralls": false,
    "github_actions": true,
    "requirements": [
        {
            "name": "ccptools",
            "specs": [
                [
                    ">=",
                    "1.1"
                ],
                [
                    "<",
                    "2"
                ]
            ]
        },
        {
            "name": "boto3",
            "specs": [
                [
                    ">=",
                    "1.20"
                ],
                [
                    "<",
                    "2"
                ]
            ]
        },
        {
            "name": "hvac",
            "specs": [
                [
                    "<",
                    "3"
                ],
                [
                    ">=",
                    "2.2"
                ]
            ]
        }
    ],
    "lcname": "fidelius"
}
        
Elapsed time: 7.91614s