search

guillaumeblaquiere / berglas-python

Python library for decypting Berglas secrets
Apache License 2.0
10 stars 7 forks source link

berglas-python does not manage secrets permissions #3

Closed renato-farias closed 4 years ago

renato-farias commented 5 years ago

Current berglas-python does not manage secrets permissions as Berglas does. Actually it is a feature to be developed not an issue properly.

Berglas-Python would be able to grant/revoke permission pragmatically, an example is shown below:

using Berglas

# granting
berglas grant my-bucket/secret --member user:user@mydomain.com

# revoking
berglas revoke my-bucket/secret --member user:user@mydomain.com

using berglas-python

import berglas_python as berglas

# granting
berglas.grant(project_id, my-bucket/secret, 'user:user@mydomain.com')

# revoking
berglas.revoke(project_id, my-bucket/secret, 'user:user@mydomain.com')
guillaumeblaquiere commented 5 years ago

What do you mean? Is it in relation with your pull request for copying the iam policies?

renato-farias commented 5 years ago

My first description was vague, sorry for that, I just updated the issue description. It it not related with my pull request for copying the iam policies.

guillaumeblaquiere commented 5 years ago

Thanks for the clarification. What's your use case for this? Why you need to use it in your Python code? Why you can't use Berglas executable?

renato-farias commented 5 years ago

I'd like to implement Berglas features in this library then users can use this library pragmatically in their codes without invoke subprocess to call Berglas binary, of course, only if it is the purpose of this project.

guillaumeblaquiere commented 5 years ago

I never had in mind to rewrite the Berglas project in Python. The main usage is the capability to use encrypted secret with Berglas in Python code.

For secret management, granting and so on, Berglas go executable is the best for this. For reading secret at runtime in Python, use this lib.

The main issue is to follow the initial product evolution, and I can't commit that I will have time for this.

However, if you, you have this time and you want to implement these features, you are welcome. I can add you as collaborator if you go in this way. (You could still perform merge request for code review if you want, but also push directly)

renato-farias commented 5 years ago

I never had in mind to rewrite the Berglas project in Python. The main usage is the capability to use encrypted secret with Berglas in Python code.

For secret management, granting and so on, Berglas go executable is the best for this. For reading secret at runtime in Python, use this lib.

The main issue is to follow the initial product evolution, and I can't commit that I will have time for this.

However, if you, you have this time and you want to implement these features, you are welcome. I can add you as collaborator if you go in this way. (You could still perform merge request for code review if you want, but also push directly)

Hi @guillaumeblaquiere sorry for the delay. I really do accept the invite to be a collaborator.

guillaumeblaquiere commented 5 years ago

Hello. Don't worry for the delay. I added you as collaborator.