Django SecretsManager

Django SecretsManager is a package that helps you manage the secret values used by Django through variable services.

Installation

pip install django-secrets-manager

Requirements

Python >= 3.6
Django

Required settings for the settings module

AWS_SECRETS_MANAGER_SECRET_NAME (or AWS_SECRET_NAME)
- Secret name of SecretsManager to use
AWS_SECRETS_MANAGER_SECRET_SECTION (or AWS_SECRET_SECTION)
- The key that separates JSON objects by colons.
  ex) In the example below, the "production" item is represented as "sample-project:production".
AWS_SECRETS_MANAGER_REGION_NAME (or AWS_REGION_NAME)
- Region of the SecretsManager service to use
  ex) ap-northeast-2

Secret value setting of AWS SecretsManager

SecretsManager's Secret value uses JSON format in Plaintext.
Here is an example Secret value to use for configuration, and the Secret (Corresponds to AWS_SECRETS_MANAGER_SECRET_NAME in the settings module) is named sample-project-secret

{
  "sample-project(Recommend the name of django project)": {
    "base(If the settings module is a package, submodule names are recommended)": {
      "SECRET_KEY": "DjangoSecretKey"
    },
    "dev": {
      "AWS_S3_BUCKET_NAME": "sample-s3-dev"
    },
    "production": {
      "AWS_S3_BUCKET_NAME": "sample-s3-production"
    }
  }
}

Setting up AWS Credentials for Django to use

Django uses two methods to access the SecretsManager on AWS. The first uses a profile of ~/.aws/credentials in your home folder, and the second uses an environment variable.

1. Using the AWS Credentials Profile

Recommended for use in development environments

Set Profile of IAM User with SecretsManagerReadWrite Permission to ~/.aws/credentials. The following example uses the profile name sample-project-secretsmanager

[sample-project-secretsmanager]
aws_access_key_id = AKI*************
aws_secret_access_key = Mlp********************

Then enter the profile name in AWS_SECRETS_MANAGER_PROFILE (or AWS_PROFILE) of the settings module.

# settings.py
AWS_SECRETS_MANAGER_PROFILE = 'sample-project-secrets-manager'

Or using AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY

# settings.py
AWS_ACCESS_KEY_ID = 'aws-access-key-id'
AWS_SECRET_ACCESS_KEY = 'aws-secret-access-key'

2. Use environment variables

It is recommended to use in distribution or CI / CD environment.

If you set the following values in the environment variable, the contents are used to use the SecretsManager service.

AWS_SECRETS_MANAGER_ACCESS_KEY_ID (or AWS_ACCESS_KEY_ID)
AWS_SECRETS_MANAGER_SECRET_ACCESS_KEY (or AWS_SECRET_ACCESS_KEY)

Using Secrets in Django's Settings Module

First, import the SECRETS instance of the library.
Enter the settings for Django AWS SecretsManager
Use SECRETS as a dictionary to get the secrets you want

Follow the form of the example below

By separating the settings module into packages, it is assumed that there are base and dev submodules.
settings/
    __init__.py
    base.py
    dev.py

## settings/base.py

# 1. Import the SECRETS instance of the library
from django_secrets import SECRETS

# 2. Enter the settings for Django AWS SecretsManager
AWS_SECRETS_MANAGER_SECRET_NAME = 'sample-project-secret'
AWS_SECRETS_MANAGER_PROFILE = 'sample-project-secretsmanager'
AWS_SECRETS_MANAGER_SECRET_SECTION = 'sample-project:base'
AWS_SECRETS_MANAGER_REGION_NAME = 'ap-northeast-2'

# 3. Use SECRETS as a dictionary to get the secrets you want
SECRET_KEY = SECRETS['SECRET_KEY']
SECRET_KEY = SECRETS.get('SECRET_KEY')

## settings/dev.py

# The SECRETS instance is already imported from the base module.
from .base import *

# Use a different secrets section
AWS_SECRETS_MANAGER_SECRET_SECTION = 'sample-project:dev'

# Use SECRETS as a dictionary to get the secrets you want
AWS_STORAGE_BUCKET_NAME = SECRETS['AWS_STORAGE_BUCKET_NAME']
AWS_STORAGE_BUCKET_NAME = SECRETS.get('AWS_STORAGE_BUCKET_NAME', 'default')

Contributing

As an open source project, we welcome contributions.
The code lives on GitHub

LeeHanYeong / django-secrets-manager

readme