def test_getSecret_nonexistent(): try: credstash.getSecret("bad secret") except credstash.ItemNotFound: assert True else: assert False, "expected credstash.ItemNotFound error"
def __init__(self): self.dynamo = boto3.client( "dynamodb") # using the python SDK of AWS DynamoDB # credstash fetching api tokens/client secret self.twilio_sid = credstash.getSecret("twilio_sid") self.twilio_api_token = credstash.getSecret("twilio_api_token")
def create_incident_note(event, context): """ This script uses the PagerDuty API to write notes to specific incidents. """ EMAIL = getSecret('sre.oaf.utility.pd-commenter.username', region='us-east-1', table='{}-credstash'.format(os.environ['environ'])) API_KEY = getSecret('sre.oaf.utility.pd-commenter.password', region='us-east-1', table='{}-credstash'.format(os.environ['environ'])) INCIDENT_ID = event['incidentID'] CONTENT = event['message'] url = 'https://api.pagerduty.com/incidents/{id}/notes'.format( id=INCIDENT_ID) headers = { 'Accept': 'application/vnd.pagerduty+json;version=2', 'Authorization': 'Token token={token}'.format(token=API_KEY), 'Content-type': 'application/json', 'From': EMAIL } payload = {'note': {'content': CONTENT}} r = requests.post(url, headers=headers, data=json.dumps(payload)) if r.status_code == 201: print("Note added successfully.") return "Note: " + CONTENT + " added successfully."
def test_deletes_on_teardown(self): key_name = run_tiltfile_func( "local_resource_ext/Tiltfile", "credstash_key", mocks={'local_resource': local_resource_integration}, resource_name="my_key", val="my_secret", ) run_tiltfile_func( "local_resource_ext/Tiltfile", "credstash_key", mocks={ 'local_resource': local_resource_integration, 'config': TiltConfig('down') }, resource_name="my_key", val="my_secret", ) with pytest.raises(credstash.ItemNotFound): credstash.getSecret(key_name) assert run_tiltfile_func("tilt_env/Tiltfile", "tilt_env_get", key="my_key") == None
def test_getSecret_wrong_region(secret): try: credstash.getSecret(secret['name'], region='us-west-2') except botocore.exceptions.ClientError as e: if e.response['Error']['Code'] == 'ResourceNotFoundException': assert True else: assert False, "expected botocore ResourceNotFoundException"
def read_config(config_file, instance_metadata): settings = {} # get user config config = ConfigParser.ConfigParser() config.read(config_file) # get global config settings use_credstash = config.getboolean('DEFAULT', 'use_credstash') settings['call_create_job'] = config.getboolean('DEFAULT', 'call_create_job') settings['call_terminate_job'] = config.getboolean('DEFAULT', 'call_terminate_job') # get jenkins settings settings['url'] = config.get('jenkins', 'url') settings['verify_ssl'] = config.getboolean('jenkins', 'verify_ssl') if settings['call_create_job']: settings['create_job'] = config.get('jenkins', 'create_job') settings['create_job_params'] = config.get('jenkins', 'create_job_params', 0, instance_metadata) if settings['call_terminate_job']: settings['terminate_job'] = config.get('jenkins', 'terminate_job') settings['terminate_job_params'] = config.get('jenkins', 'terminate_job_params', 0, instance_metadata) # get credstash settings if use_credstash: credstash_table = config.get('credstash', 'table') settings['username'] = credstash.getSecret(config.get( 'credstash', 'jenkins_username_key'), table=credstash_table) settings['api_key'] = credstash.getSecret(config.get( 'credstash', 'jenkins_user_token_key'), table=credstash_table) if settings['call_create_job']: settings['create_job_token'] = credstash.getSecret( config.get('credstash', 'jenkins_create_job_token_key'), table=credstash_table) if settings['call_terminate_job']: settings['terminate_job_token'] = credstash.getSecret( config.get('credstash', 'jenkins_terminate_job_token_key'), table=credstash_table) else: settings['username'] = config.get('jenkins', 'username') settings['api_key'] = config.get('jenkins', 'api_key') if settings['call_create_job']: settings['create_job_token'] = config.get('jenkins', 'create_job_token') if settings['call_terminate_job']: settings['terminate_job_token'] = config.get( 'jenkins', 'terminate_job_token') return settings
def get_creds(): """Reads a user and key out of credstash to auth into the LM API.""" global user global key if user or key == None: user = getSecret('sre.oaf.utility.oaf-logicmonitor-reaper.id', region='us-east-1', table='{}-credstash'.format(os.environ['environ'])) key = getSecret('sre.oaf.utility.oaf-logicmonitor-reaper.key', region='us-east-1', table='{}-credstash'.format(os.environ['environ']))
def __init__(self): """General object initializer.""" self.OIDC_DOMAIN = os.environ['OIDC_DOMAIN'] self.OIDC_CLIENT_ID = credstash.getSecret( name="riskheatmap.oidc_client_id", context={'app': 'riskheatmap'}, region="us-east-1") self.OIDC_CLIENT_SECRET = credstash.getSecret( name="riskheatmap.oidc_client_secret", context={'app': 'riskheatmap'}, region="us-east-1") self.LOGIN_URL = "https://{DOMAIN}/login?client={CLIENT_ID}".format( DOMAIN=self.OIDC_DOMAIN, CLIENT_ID=self.OIDC_CLIENT_ID)
def set_user_data(ctx: Context) -> None: """Retrieve behave -userdata values, setting them on the context""" user_data = ctx.config.userdata try: ctx.users = credstash.getSecret(name='stg.viz.tableau.login', region='us-east-1') except credstash.ItemNotFound as ex: LOGGER.debug(f'Cloud secret not found: {ex.value}') except (credstash.KmsError, credstash.IntegrityError) as ex: LOGGER.debug(f'Cloud secret exception: {ex.value}') ctx.users = credstash.getSecret('stg.viz.tableau.login') ctx.wait_timeout = user_data.getfloat("wait_timeout", 10) ctx.max_attempts = user_data.getint("max_attempts", 1) ctx.debug_mode = user_data.getbool("debug_mode", False) ctx.latency = user_data.get("latency", 0)
def get_secret(secret_key): try: value = credstash.getSecret(secret_key) except credstash.ItemNotFound as item_not_found: value = None return value
def get_secrets(env_name, team, component_name, boto_session): credentials = boto_session.get_credentials() aws_credentials = { 'aws_access_key_id': credentials.access_key, 'aws_secret_access_key': credentials.secret_key, 'aws_session_token': credentials.token } prefix = 'deploy.{}.{}.'.format(env_name, component_name) table_name = 'credstash-{}'.format(team) return { name[len(prefix):]: credstash.getSecret( name, table=table_name, region=boto_session.region_name, **aws_credentials ) for name in _component_secrets_for_environment( table_name, boto_session.region_name, prefix, aws_credentials ) }
def run(self, terms, variables, **kwargs): if not CREDSTASH_INSTALLED: raise AnsibleError('The credstash lookup plugin requires credstash to be installed.') ret = [] for term in terms: try: version = kwargs.pop('version', '') region = kwargs.pop('region', None) table = kwargs.pop('table', 'credential-store') profile_name = kwargs.pop('profile_name', os.getenv('AWS_PROFILE', None)) aws_access_key_id = kwargs.pop('aws_access_key_id', os.getenv('AWS_ACCESS_KEY_ID', None)) aws_secret_access_key = kwargs.pop('aws_secret_access_key', os.getenv('AWS_SECRET_ACCESS_KEY', None)) aws_session_token = kwargs.pop('aws_session_token', os.getenv('AWS_SESSION_TOKEN', None)) kwargs_pass = {'profile_name': profile_name, 'aws_access_key_id': aws_access_key_id, 'aws_secret_access_key': aws_secret_access_key, 'aws_session_token': aws_session_token} val = credstash.getSecret(term, version, region, table, context=kwargs, **kwargs_pass) except credstash.ItemNotFound: raise AnsibleError('Key {0} not found'.format(term)) except Exception as e: raise AnsibleError('Encountered exception while fetching {0}: {1}'.format(term, e.message)) ret.append(val) return ret
def run(self, terms, variables, **kwargs): if not CREDSTASH_INSTALLED: raise AnsibleError( 'The credstash lookup plugin requires credstash to be installed.' ) ret = [] for term in terms: try: version = kwargs.pop('version', '') region = kwargs.pop('region', None) table = kwargs.pop('table', 'credential-store') val = credstash.getSecret(term, version, region, table, context=kwargs) except credstash.ItemNotFound: raise AnsibleError('Key {0} not found'.format(term)) except Exception as e: raise AnsibleError( 'Encountered exception while fetching {0}: {1}'.format( term, e.message)) ret.append(val) return ret
def lambda_handler(event,context): logger = logging.getLogger() logger.setLevel(logging.INFO) #logger.info('got event{}'.json.dumps(event)) #logger.error('something went wrong') sns_message=json.loads(event['Records'][0]['Sns']['Message']) logger.info('SNS message received: '+str(sns_message)) # These two lines enable debugging at httplib level (requests->urllib3->http.client) # You will see the REQUEST, including HEADERS and DATA, and RESPONSE with HEADERS but without DATA. # The only thing missing will be the response.body which is not logged. try: import http.client as http_client except ImportError: # Python 2 import httplib as http_client http_client.HTTPConnection.debuglevel = 1 # You must initialize logging, otherwise you'll not see debug output. logging.basicConfig() logging.getLogger().setLevel(logging.DEBUG) requests_log = logging.getLogger("requests.packages.urllib3") requests_log.setLevel(logging.DEBUG) requests_log.propagate = True timeStamp = time.time() requestTimestamp = datetime.datetime.fromtimestamp(int(timeStamp)).strftime('%Y-%m-%d %H:%M:%S') endPoint = os.environ['endPoint'] #IAS/qualys/prepareScan #url = "https://ias.cengage.info/IAS/qualys/prepareScan" url = os.environ['url'] #accessKey=os.environ['accessKey'] #secretKey=os.environ['secretKey'] accessKey = credstash.getSecret("IAS-accessKey") secretKey = credstash.getSecret("IAS-secretKey") #payload = json.load(open("test")) #data = json.dumps(sns_message['PrivateIP']) data = ["10.172.104.117", "10.172.105.202", "10.172.253.71"] stringToHash = endPoint + accessKey + requestTimestamp + secretKey calculatedSignatureHash = hashlib.sha1(stringToHash).hexdigest() print calculatedSignatureHash #calculatedSignatureHash = DigestUtils().getHexSha1Digest(stringToHash) headers = {'content-type': 'application/json', 'accessKey' : str(accessKey), 'secretKey' : str(secretKey) ,'requestSignature' : calculatedSignatureHash, 'requestTimestamp' : str(requestTimestamp) , 'requestEndpoint' : str(endPoint)} response=requests.post(url, data=data, headers=headers) logger.info("AppBuilder requested to prepare requested list of IPs for scanning: "+str(response))
def secret_yaml(loader: SafeLineLoader, node: yaml.nodes.Node) -> JSON_TYPE: """Load secrets and embed it into the configuration YAML.""" secret_path = os.path.dirname(loader.name) while True: secrets = _load_secret_yaml(secret_path) if node.value in secrets: _LOGGER.debug( "Secret %s retrieved from secrets.yaml in folder %s", node.value, secret_path, ) return secrets[node.value] if secret_path == os.path.dirname(sys.path[0]): break # sys.path[0] set to config/deps folder by bootstrap secret_path = os.path.dirname(secret_path) if not os.path.exists(secret_path) or len(secret_path) < 5: break # Somehow we got past the .homeassistant config folder if keyring: # do some keyring stuff pwd = keyring.get_password(_SECRET_NAMESPACE, node.value) if pwd: global KEYRING_WARN # pylint: disable=global-statement if not KEYRING_WARN: KEYRING_WARN = True _LOGGER.warning( "Keyring is deprecated and will be removed in March 2021." ) _LOGGER.debug("Secret %s retrieved from keyring", node.value) return pwd global credstash # pylint: disable=invalid-name, global-statement if credstash: # pylint: disable=no-member try: pwd = credstash.getSecret(node.value, table=_SECRET_NAMESPACE) if pwd: global CREDSTASH_WARN # pylint: disable=global-statement if not CREDSTASH_WARN: CREDSTASH_WARN = True _LOGGER.warning( "Credstash is deprecated and will be removed in March 2021." ) _LOGGER.debug("Secret %s retrieved from credstash", node.value) return pwd except credstash.ItemNotFound: pass except Exception: # pylint: disable=broad-except # Catch if package installed and no config credstash = None raise HomeAssistantError(f"Secret {node.value} not defined")
def main(): module = AnsibleModule( argument_spec=dict( secret=dict(required=True, type='str'), fact=dict(default=None, type='str'), fact_type=dict(default=None, choices=['yaml', 'json']), mode=dict(default='get', choices=['get', 'put']), value=dict(default=None, type='str'), key=dict(default='alias/credstash', type='str'), region=dict(default='us-east-1', type='str'), table=dict(default='credential-store', type='str'), version=dict(default='', type='str'), context=dict(default=None, type='dict') ) ) result = dict(changed=False, failed=False) if module.params.get('mode') == 'put': result['output'] = credstash.putSecret( module.params.get('secret'), module.params.get('value'), module.params.get('version'), module.params.get('key'), module.params.get('region'), module.params.get('table'), module.params.get('context') ) result['changed'] = True try: result['output'] = credstash.getSecret( module.params.get('secret'), module.params.get('version'), module.params.get('region'), module.params.get('table'), module.params.get('context') ) except credstash.ItemNotFound: module.fail_json(msg="credstash secret not found") fact = module.params.get('fact') fact_type = module.params.get('fact_type') if fact is not None: if fact_type == 'yaml': result['ansible_facts'] = { fact: yaml.safe_load(result['output']) } elif fact_type == 'json': result['ansible_facts'] = { fact: json.load(result['output']) } else: result['ansible_facts'] = { fact: result['output'] } module.exit_json(**result)
def __init__(self): """General object initializer.""" self.OIDC_DOMAIN = os.environ['OIDC_DOMAIN'] self.OIDC_CLIENT_ID = credstash.getSecret( name="riskheatmap.oidc_client_id", context={'app': 'riskheatmap'}, region="us-east-1" ) self.OIDC_CLIENT_SECRET = credstash.getSecret( name="riskheatmap.oidc_client_secret", context={'app': 'riskheatmap'}, region="us-east-1" ) self.LOGIN_URL = "https://{DOMAIN}/login?client={CLIENT_ID}".format( DOMAIN=self.OIDC_DOMAIN, CLIENT_ID=self.OIDC_CLIENT_ID )
def credstash_getone(name, args): """ Returns one single secret from from credstash table `args.table`. """ if args.verbose: print('fetching your secret from "{table}" '.format(table=args.table)) session_params = credstash.get_session_params(None, None) return credstash.getSecret(name, region=args.region, table=args.table, **session_params)
def get_secret(secret_name, context): """Fetch secret from environment or credstash.""" secret = os.getenv(secret_name.split('.')[1], None) if not secret: secret = credstash.getSecret(name=secret_name, context=context, region="us-west-2") return secret
def get_secret(key, table=None, region='us-east-1'): if table is None: table = 'credential-store' secret = _check_local(key, table, region) if not secret: secret = credstash.getSecret(key, table=table, region=region) _put_local(secret, key, table, region) return secret
def main(): module = AnsibleModule( argument_spec = dict( autoversion = dict(default=False, type='bool'), context = dict(default=None, type='dict'), digest = dict(default='SHA256', type='str'), fact = dict(default=None, type='str'), fact_type = dict(default=None, choices=['yaml','json']), key = dict(default='alias/credstash', type='str'), mode = dict(default='get', choices=['get', 'put']), region = dict(default='us-east-1', type='str'), secret = dict(required=True, type='str'), table = dict(default='credential-store', type='str'), value = dict(default=None, type='str'), version = dict(default='', type='str'), ) ) args_dict = { 'autoversion' : module.params.get('autoversion'), 'context' : module.params.get('context'), 'digest' : module.params.get('digest'), 'fact' : module.params.get('fact'), 'fact_type' : module.params.get('fact_type'), 'credential' : module.params.get('secret'), 'key' : module.params.get('key'), 'mode' : module.params.get('mode'), 'region' : module.params.get('region'), 'table' : module.params.get('table'), 'value' : module.params.get('value'), 'version' : module.params.get('version'), } args = Arguments(args_dict) result = dict(changed=False, failed=False) if module.params.get('mode') == 'put': result['output'] = credstash.putSecretAction(args, args.region) result['changed'] = True try: result['output'] = credstash.getSecret(module.params.get('secret'), module.params.get('version'), \ module.params.get('region'), module.params.get('table'), module.params.get('context')) except credstash.ItemNotFound: module.fail_json(msg="credstash secret not found") if module.params.get('fact') is not None: if module.params.get('fact_type') == 'yaml': result['ansible_facts'] = { module.params.get('fact'): yaml.safe_load(result['output']) } elif module.params.get('fact_type') == 'json': result['ansible_facts'] = { module.params.get('fact'): json.load(result['output']) } else: result['ansible_facts'] = { module.params.get('fact'): result['output'] } module.exit_json(**result)
def __init__(self): """General object initializer.""" self.OIDC_DOMAIN = credstash.getSecret( name="observatory.oidc_domain", context={'app': 'serverless-observatory'}, region="us-east-1") self.OIDC_CLIENT_ID = credstash.getSecret( name="observatory.client_id", context={'app': 'serverless-observatory'}, region="us-east-1") self.OIDC_CLIENT_SECRET = credstash.getSecret( name="observatory.client_secret", context={'app': 'serverless-observatory'}, region="us-east-1") self.LOGIN_URL = "https://{DOMAIN}/login?client={CLIENT_ID}".format( DOMAIN=self.OIDC_DOMAIN, CLIENT_ID=self.OIDC_CLIENT_ID)
def get(self, name): try: value = credstash.getSecret(name, region=region(), table=table()) return value except ItemNotFound: sys.stderr.write( 'cant find credstash value for key "%s"\n' % name) sys.exit(1)
def test_creates_key_on_first_run(self): key_name = run_tiltfile_func( "local_resource_ext/Tiltfile", "credstash_key", mocks={'local_resource': local_resource_integration}, resource_name="my_key", val="my_secret", ) assert credstash.getSecret(key_name) == 'my_secret'
class Config(object): """Defaults for the configuration objects.""" DEBUG = True TESTING = False CSRF_ENABLED = True SECRET_KEY = credstash.getSecret(name="observatory.secret_key", context={'app': 'serverless-observatory'}, region="us-east-1") SERVER_NAME = "serverless-observatory.threatresponse.cloud" SESSION_COOKIE_HTTPONLY = True LOGGER_NAME = "serverless-observatory" TEMPLATES_AUTO_RELOAD = True
def _get_credential(self, key): context = {} if self.env: context['env'] = self.env if self.appid: context['appid'] = self.appid if self.client: context['client'] = self.client secret = getSecret(key, region=DEFAULT_REGION, context=context) return secret
def __getitem__(self, key): """ Enable dict-like access """ if not self._initialized: self._initialize() return credstash.getSecret( key, version=self._version, region=self._region, table=self._table)
class Config(object): """Defaults""" blogger.setLevel(logging.INFO) DEBUG = False TESTING = False SECRET_KEY = credstash.getSecret(name="riskheatmap.secret_key", context={'app': 'riskheatmap'}, region="us-east-1") SERVER_NAME = os.environ['SERVER_NAME'] PERMANENT_SESSION = os.environ['PERMANENT_SESSION'] PERMANENT_SESSION_LIFETIME = int(os.environ['PERMANENT_SESSION_LIFETIME']) SESSION_COOKIE_HTTPONLY = True SESSION_COOKIE_SECURE = False LOGGER_NAME = "riskheatmap"
def query_credstash(self, key, region): """ Query credstash for a specific key in the credstash table as specified by the `credstash_table` config setting. Returns None if no table is configured. :param str key: The key in the credstash table to query. :param str region: The name of the AWS region to query credstash. :return: The value of the credstash key. :rtype: str or None """ table = self.get_region_setting(region, "credstash_table") if table: r = credstash.getSecret(key, region=region, table=table) return r return None
def run(self, terms, variables, **kwargs): if not CREDSTASH_INSTALLED: raise AnsibleError("The credstash lookup plugin requires credstash to be installed.") ret = [] for term in terms: try: val = credstash.getSecret(term, **kwargs) except credstash.ItemNotFound: raise AnsibleError("Key {0} not found".format(term)) except Exception as e: raise AnsibleError("Encountered exception while fetching {0}: {1}".format(term, e.message)) ret.append(val) return ret
def run(self, terms, variables, **kwargs): if not CREDSTASH_INSTALLED: raise AnsibleError( 'The credstash lookup plugin requires credstash to be installed.' ) ret = [] for term in terms: try: val = credstash.getSecret(term, **kwargs) except credstash.ItemNotFound: raise AnsibleError('Key {0} not found'.format(term)) except Exception, e: raise AnsibleError( 'Encountered exception while fetching {0}: {1}'.format( term, e.message)) ret.append(val)
def get_secret(self, name, context): """ Get a secret. First tries to load a secret from the local file, then falls back to credstash. The context is not considered when looking secrets up in the local file. """ secret = self.get_local(name) if secret is None: try: return credstash.getSecret(name, region=self.region, context=context) except credstash.ItemNotFound: raise ItemNotFound(name) else: return secret
def _secret_yaml(loader: SafeLineLoader, node: yaml.nodes.Node): """Load secrets and embed it into the configuration YAML.""" secret_path = os.path.dirname(loader.name) while True: secrets = _load_secret_yaml(secret_path) if node.value in secrets: _LOGGER.debug("Secret %s retrieved from secrets.yaml in " "folder %s", node.value, secret_path) return secrets[node.value] if secret_path == os.path.dirname(sys.path[0]): break # sys.path[0] set to config/deps folder by bootstrap secret_path = os.path.dirname(secret_path) if not os.path.exists(secret_path) or len(secret_path) < 5: break # Somehow we got past the .homeassistant config folder if keyring: # do some keyring stuff pwd = keyring.get_password(_SECRET_NAMESPACE, node.value) if pwd: _LOGGER.debug("Secret %s retrieved from keyring", node.value) return pwd global credstash # pylint: disable=invalid-name if credstash: # pylint: disable=no-member try: pwd = credstash.getSecret(node.value, table=_SECRET_NAMESPACE) if pwd: _LOGGER.debug("Secret %s retrieved from credstash", node.value) return pwd except credstash.ItemNotFound: pass except Exception: # pylint: disable=broad-except # Catch if package installed and no config credstash = None _LOGGER.error("Secret %s not defined", node.value) raise HomeAssistantError(node.value)
def secret_yaml(loader: SafeLineLoader, node: yaml.nodes.Node) -> JSON_TYPE: """Load secrets and embed it into the configuration YAML.""" secret_path = os.path.dirname(loader.name) while True: secrets = _load_secret_yaml(secret_path) if node.value in secrets: _LOGGER.debug("Secret %s retrieved from secrets.yaml in " "folder %s", node.value, secret_path) return secrets[node.value] if secret_path == os.path.dirname(sys.path[0]): break # sys.path[0] set to config/deps folder by bootstrap secret_path = os.path.dirname(secret_path) if not os.path.exists(secret_path) or len(secret_path) < 5: break # Somehow we got past the .homeassistant config folder if keyring: # do some keyring stuff pwd = keyring.get_password(_SECRET_NAMESPACE, node.value) if pwd: _LOGGER.debug("Secret %s retrieved from keyring", node.value) return pwd global credstash # pylint: disable=invalid-name if credstash: # pylint: disable=no-member try: pwd = credstash.getSecret(node.value, table=_SECRET_NAMESPACE) if pwd: _LOGGER.debug("Secret %s retrieved from credstash", node.value) return pwd except credstash.ItemNotFound: pass except Exception: # pylint: disable=broad-except # Catch if package installed and no config credstash = None raise HomeAssistantError("Secret {} not defined".format(node.value))
def run(self, terms, variables, **kwargs): if not CREDSTASH_INSTALLED: raise AnsibleError('The credstash lookup plugin requires credstash to be installed.') ret = [] for term in terms: try: version = kwargs.pop('version', '') region = kwargs.pop('region', None) table = kwargs.pop('table', 'credential-store') val = credstash.getSecret(term, version, region, table, context=kwargs) except credstash.ItemNotFound: raise AnsibleError('Key {0} not found'.format(term)) except Exception as e: raise AnsibleError('Encountered exception while fetching {0}: {1}'.format(term, e.message)) ret.append(val) return ret
def _secret_yaml(loader: SafeLineLoader, node: yaml.nodes.Node): """Load secrets and embed it into the configuration YAML.""" secret_path = os.path.dirname(loader.name) while True: secrets = _load_secret_yaml(secret_path) if node.value in secrets: _LOGGER.debug("Secret %s retrieved from secrets.yaml in " "folder %s", node.value, secret_path) return secrets[node.value] if secret_path == os.path.dirname(sys.path[0]): break # sys.path[0] set to config/deps folder by bootstrap secret_path = os.path.dirname(secret_path) if not os.path.exists(secret_path) or len(secret_path) < 5: break # Somehow we got past the .homeassistant config folder if keyring: # do some keyring stuff pwd = keyring.get_password(_SECRET_NAMESPACE, node.value) if pwd: _LOGGER.debug("Secret %s retrieved from keyring", node.value) return pwd if credstash: try: pwd = credstash.getSecret(node.value, table=_SECRET_NAMESPACE) if pwd: _LOGGER.debug("Secret %s retrieved from credstash", node.value) return pwd except credstash.ItemNotFound: pass _LOGGER.error("Secret %s not defined", node.value) raise HomeAssistantError(node.value)
#!/usr/bin/env python import credstash secret_value = credstash.getSecret('secret_key', region='us-west-2', table='credstash-table') print secret_value
def run(args): """Handle credstash script.""" parser = argparse.ArgumentParser( description=("Modify Home Assistant secrets in credstash." "Use the secrets in configuration files with: " "!secret <name>")) parser.add_argument( '--script', choices=['credstash']) parser.add_argument( 'action', choices=['get', 'put', 'del', 'list'], help="Get, put or delete a secret, or list all available secrets") parser.add_argument( 'name', help="Name of the secret", nargs='?', default=None) parser.add_argument( 'value', help="The value to save when putting a secret", nargs='?', default=None) import credstash import botocore args = parser.parse_args(args) table = _SECRET_NAMESPACE try: credstash.listSecrets(table=table) except botocore.errorfactory.ClientError: credstash.createDdbTable(table=table) if args.action == 'list': secrets = [i['name'] for i in credstash.listSecrets(table=table)] deduped_secrets = sorted(set(secrets)) print('Saved secrets:') for secret in deduped_secrets: print(secret) return 0 if args.name is None: parser.print_help() return 1 if args.action == 'put': if args.value: the_secret = args.value else: the_secret = getpass.getpass('Please enter the secret for {}: ' .format(args.name)) current_version = credstash.getHighestVersion(args.name, table=table) credstash.putSecret(args.name, the_secret, version=int(current_version) + 1, table=table) print('Secret {} put successfully'.format(args.name)) elif args.action == 'get': the_secret = credstash.getSecret(args.name, table=table) if the_secret is None: print('Secret {} not found'.format(args.name)) else: print('Secret {}={}'.format(args.name, the_secret)) elif args.action == 'del': credstash.deleteSecrets(args.name, table=table) print('Deleted secret {}'.format(args.name))