Credential Manager

Urgap provides a standardized interface to interact with different secret stores and present the credentials in a standardized fashion.

As of writing this tutorial, Azure Key Vault, Google Cloud Secret Store and classic ENV are surported as secrect stores.

Since we have abstracted the interaction with the secret store in an interface (see. urgap.ucredentials.io), other secret stores can be added with ease.

import urgap

Within the urgap home diretory, there is a file called credentials_lookup.json

import json
from pathlib import Path

uc = json.load(open(Path(urgap.home / "credentials_lookup.json")))

uc

This file is used to point the urgap credential manager to the right secret store to extract the credentials. Take for example this entry in the uc["credentials"]

{
    'description': 'gcs using libcloud does not need host yet schema+host is used for internal lookups',
    'scheme': 'gcs-libcloud',
    'host': 'gsk-rd-ngs-sbx',
    'user': 'U_GCS_USER',
    'password': 'U_GCS_PASSWORD',
    'secure': True,
    'secret_store': 'env',
    'cloud_host_pid': 'gsk-rd-ngs-sbx'
}

if a uri or connection string has the schema gcs-libcloud and points to the host gsk-rd-ngs-sbx, then the secret manager will look into the secret_store env and extract the user/login from the variable under U_GCS_USER, the password from the variable under U_GCS_PASSWORD.

urgap will initialze a credential manager under urgap.instances.ucredential_manager during init.

We can extract the credentials using the methods .extract_credentials, .get_password or .get_user.

We can also supply more credentials dynamically using .add_credentials methods. For example:

um = urgap.UCredentialManager()
um.add_credentials(
    [
        {
            "base_url": "dog://town",
            "description": "Demo1",
            "scheme": "dog",
            "host": "town",
            "user": "U_DOG_USER",
            "password": "U_DOG_PASSWORD",
            "secure": True,
            "secret_store": "env",
            "cloud_host_pid": "gsk-rd-ngs-sbx",
        }
    ]
)

Let set those env variables now.

import os

os.environ["U_DOG_USER"] = "d0g-name"
os.environ["U_DOG_PASSWORD"] = "d0g-password"

um.get_password("dog://town")

um.extract_credentials("dog://town")

urgap.ucredentials.io.gcp.IOGCPCreds(
    secret_id="sasa", version_id="L@!#!", project_id="ASda"
)