A new Python project.

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for gowthamrao from gravatar.com gowthamrao

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: Other/Proprietary License (# The Prosperity Public License 3.0.0)
  • Author: Gowtham A Rao
  • Requires: Python >=3.11
Classifiers
Report project as malware

Project description

coreason-vault (The Safe)

License CI Status Code Style: Ruff Documentation

The centralized guardian of secrets for the CoReason platform.

coreason-vault manages secrets at rest and in memory, replacing legacy local encryption and unsafe environment variable practices with a robust, centralized Vault-based architecture.

Mission

  • Secure Retrieval: Fetch API keys and database credentials securely from HashiCorp Vault.
  • Key Rotation & Leases: Handle dynamic secrets with lease management.
  • Encryption as a Service (EaaS): Delegate encryption of sensitive user data to Vault's Transit Engine, ensuring the application never handles encryption keys.

Features

  • "The Safe" Philosophy: Application code never sees long-lived credentials or performs its own encryption.
  • Transit Engine Integration: Replaces local crypto.py by offloading encryption/decryption to Vault.
  • Just-in-Time Secrets: Fetches secrets on demand with caching (TTL ~60s) to prevent API hammering.
  • Dynamic Secrets: Supports retrieval of dynamic secrets with lease information.
  • Automated Authentication: Seamlessly handles AppRole (local/VM) and Kubernetes (Prod) authentication with auto-renewal.
  • Resilience: Built-in retries and circuit breaking for Vault connection issues.

Installation

pip install coreason-vault

Usage

from coreason_vault import VaultManager, VaultConfig
from coreason_vault.exceptions import SecretNotFoundError

# 1. Initialize
# Automatically reads configuration from environment variables:
# VAULT_ADDR, VAULT_ROLE_ID/SECRET_ID (or K8S Auth), etc.
config = VaultConfig()
vault = VaultManager(config)

# 2. Fetch Secret (KV Version 2)
try:
    # Fetches from 'secret/data/coreason/services/openai' (mount point defaults to 'secret')
    creds = vault.secrets.get("coreason/services/openai")
    print(f"Using API Key: {creds['api_key'][:4]}...")
except SecretNotFoundError:
    print("Fatal: OpenAI credentials missing")

# 3. Encrypt Sensitive Data (Transit Engine)
# The app never sees the encryption key. Vault handles the cryptography.
ciphertext = vault.cipher.encrypt(
    plaintext="Sensitive Patient Data",
    key_name="patient-data-key",
    context="user_123"  # Optional: Key derivation context for extra security
)
print(f"Stored in DB: {ciphertext}")
# Output example: vault:v1:QmF...

# 4. Decrypt Data
original_plaintext = vault.cipher.decrypt(
    ciphertext=ciphertext,
    key_name="patient-data-key",
    context="user_123"
)
print(f"Decrypted: {original_plaintext}")

Configuration

The library uses pydantic-settings to load configuration from environment variables.

Variable Description Default
VAULT_ADDR Required. The URL of the Vault server. -
VAULT_NAMESPACE The Vault namespace (Enterprise/Cloud). None
VAULT_ROLE_ID AppRole Role ID. None
VAULT_SECRET_ID AppRole Secret ID. None
VAULT_K8S_ROLE Kubernetes Role Name (for K8s auth). None
KUBERNETES_SERVICE_ACCOUNT_TOKEN K8s SA Token (injected by K8s). None
VAULT_MOUNT_POINT KV v2 Mount Point. secret
VAULT_VERIFY_SSL Verify SSL certificates. True
VAULT_TOKEN_TTL Token validation interval in seconds. 60

License

This software is licensed under the Prosperity Public License 3.0. Commercial use beyond a 30-day trial requires a separate license. See LICENSE for details.

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for gowthamrao from gravatar.com gowthamrao

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: Other/Proprietary License (# The Prosperity Public License 3.0.0)
  • Author: Gowtham A Rao
  • Requires: Python >=3.11
Classifiers

Release history Release notifications | RSS feed

This version

0.3.1

0.3.0

0.2.0

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

coreason_vault-0.3.1.tar.gz (12.4 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

coreason_vault-0.3.1-py3-none-any.whl (17.4 kB view details)

Uploaded Python 3

File details

Details for the file coreason_vault-0.3.1.tar.gz.

File metadata

  • Download URL: coreason_vault-0.3.1.tar.gz
  • Upload date:
  • Size: 12.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for coreason_vault-0.3.1.tar.gz
Algorithm Hash digest
SHA256 04661d5170c92d84678de6b7dd5e57c2bec2b449ae2009d04741c70b612ad451
MD5 d9cc65e9c0551a0aae25afb15cb91782
BLAKE2b-256 14ee9b442c0d8fceb8ae8589dde6b4fd0dacd732456236fc515b39031ec9104e

See more details on using hashes here.

Provenance

The following attestation bundles were made for coreason_vault-0.3.1.tar.gz:

Publisher: publish.yml on CoReason-AI/coreason-vault

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file coreason_vault-0.3.1-py3-none-any.whl.

File metadata

  • Download URL: coreason_vault-0.3.1-py3-none-any.whl
  • Upload date:
  • Size: 17.4 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for coreason_vault-0.3.1-py3-none-any.whl
Algorithm Hash digest
SHA256 4c9c6ea090918a9574433da699cb78bc638e8f246eee2e4d28aa5648f014b42b
MD5 31732fb4c2371743eb8dea79f07d1495
BLAKE2b-256 ab1f027860781eed6a8446aad7738fc0ceb77cbbd0a46b467fc2c3b12ada9043

See more details on using hashes here.

Provenance

The following attestation bundles were made for coreason_vault-0.3.1-py3-none-any.whl:

Publisher: publish.yml on CoReason-AI/coreason-vault

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page