infisical / infisical-python Goto Github PK

31.0 4.0 7.0 95 KB

♾ Official Infisical SDK for Python

License: MIT License

Python 99.37% Shell 0.63%

python python-types python3 end-to-end-encryption environment-variables open-source secret-management secrets security

infisical-python's Introduction

The open-source secret management platform: Sync secrets/configs across your team/infrastructure and prevent secret leaks.

Slack | Infisical Cloud | Self-Hosting | Docs | Website | Hiring (Remote/SF)

Introduction

Infisical is the open source secret management platform that teams use to centralize their secrets like API keys, database credentials, and configurations.

We're on a mission to make secret management more accessible to everyone, not just security teams, and that means redesigning the entire developer experience from ground up.

Features

User-friendly dashboard to manage secrets across projects and environments (e.g. development, production, etc.).
Client SDKs to fetch secrets for your apps and infrastructure on demand.
Infisical CLI to fetch and inject secrets into any framework in local development and CI/CD.
Infisical API to perform CRUD operation on secrets, users, projects, and any other resource in Infisical.
Native integrations with platforms like GitHub, Vercel, AWS, and tools like Terraform, Ansible, and more.
Infisical Kubernetes operator to managed secrets in k8s, automatically reload deployments, and more.
Infisical Agent to inject secrets into your applications without modifying any code logic.
Self-hosting and on-prem to get complete control over your data.
Secret versioning and Point-in-Time Recovery to version every secret and project state.
Audit logs to record every action taken in a project.
Role-based Access Controls to create permission sets on any resource in Infisica and assign those to user or machine identities.
Simple on-premise deployments to AWS, Digital Ocean, and more.
Secret Scanning and Leak Prevention to prevent secrets from leaking to git.

And much more.

Getting started

Check out the Quickstart Guides

Use Infisical Cloud	Deploy Infisical on premise
The fastest and most reliable way to get started with Infisical is signing up for free to Infisical Cloud.	View all deployment options

Run Infisical locally

To set up and run Infisical locally, make sure you have Git and Docker installed on your system. Then run the command for your system:

Linux/macOS:

git clone https://github.com/Infisical/infisical && cd "$(basename $_ .git)" && cp .env.example .env && docker-compose -f docker-compose.prod.yml up

Windows Command Prompt:

git clone https://github.com/Infisical/infisical && cd infisical && copy .env.example .env && docker-compose -f docker-compose.prod.yml up

Create an account at http://localhost:80

Scan and prevent secret leaks

On top managing secrets with Infisical, you can also scan for over 140+ secret types in your files, directories and git repositories.

To scan your full git history, run:

infisical scan --verbose

Install pre commit hook to scan each commit before you push to your repository

infisical scan install --pre-commit-hook

Lean about Infisical's code scanning feature here

Open-source vs. paid

This repo available under the MIT expat license, with the exception of the ee directory which will contain premium enterprise features requiring a Infisical license.

If you are interested in managed Infisical Cloud of self-hosted Enterprise Offering, take a look at our website or book a meeting with us:

Security

Please do not file GitHub issues or post on our public forum for security vulnerabilities, as they are public!

Infisical takes security issues very seriously. If you have any concerns about Infisical or believe you have uncovered a vulnerability, please get in touch via the e-mail address [email protected]. In the message, try to provide a description of the issue and ideally a way of reproducing it. The security team will get back to you as soon as possible.

Note that this security address should be used only for undisclosed vulnerabilities. Please report any security problems to us before disclosing it publicly.

Contributing

Whether it's big or small, we love contributions. Check out our guide to see how to get started.

Not sure where to get started? You can:

Join our Slack, and ask us any questions there.
Join our community calls every Wednesday at 11am EST to ask any questions, provide feedback, hangout and more.

Resources

Docs for comprehensive documentation and guides
Slack for discussion with the community and Infisical team.
GitHub for code, issues, and pull requests
Twitter for fast news
YouTube for videos on secret management
Blog for secret management insights, articles, tutorials, and updates
Roadmap for planned features

Acknowledgements

infisical-python's People

Contributors

Stargazers

Watchers

Forkers

micahjackson vmatsiiako aspatari astropilot ahn1305 philipk19238 sweetspot-ai

infisical-python's Issues

`get_secret` not falling back to `os.environ`

According to the README

"By default, get_secret() fetches and returns a personal secret. If not found, it returns a shared secret, or tries to retrieve the value from os.environ."

In my local environment, I have a variable set:

local

INFISICAL_TEST_VAR=infisical-dev-value

In my development env on Infisical, INFISICAL_TEST_VAR is not set.

I would expect client.get_secret("INFISICAL_TEST_VAR") to fall back to my local env's value, but that does not happen:

Looking at the code, I see a call to get_fallback_secret()
https://github.com/Infisical/infisical-python/blob/main/infisical/helpers/client.py#L106
However, it looks like it is set to return None, as I'm experiencing:
https://github.com/Infisical/infisical-python/blob/main/infisical/services/secret_service.py#L50-L56

There do not appear to be any tests to check this fallback behavior.

Thanks for your help.

ValueErrors raised for empty secrets even if stored value is intentionally empty

https://github.com/Astropilot/infisical-python/blob/1cefa5307fc96d97313fd4745c524315b12e823a/infisical/utils/crypto.py#L149

Folders not supported

If you run

from infisical import InfisicalClient
client = InfisicalClient(token="servicetokengoeshere")
client.get_all_secrets()

Only secrets at the root seem to show up. Even using client.get_all_secrets(path='/myfolder) still seems to only show items at the root

Migrate to pydantic v2

The infisical python sdk is still using pydantic v1 even though v2 came out months ago.

The migrate and auto-migrate instructions are here: https://docs.pydantic.dev/latest/migration/

Remove py3.7 support

Py3.7 entered EOL status last month.

Source: https://devguide.python.org/versions/

How do periodic updates work?

How does my server get the new api key when:

I update it on infisical
I don't restart my server

[Importance: Serious] get_all_secrets call failing to respect `path=` settings to return data

Consider this set of Infisical secrets with the following layout (where directories are defined as 'headings' here, and key-value pairs represent secrets stored in the system), and using only one environment (the "Development" / "dev" environment) for a secrets 'keyring', and querying with the client using a corresponding access token that is for this project and environment:

/:
TEST1="Test1"
TEST2="Test2"
TEST3="0123456789ABCDEF"

/redis:
SERVER="localhost"

/redis/auth:
PASSWORD="ThisIsntARealCode"

When attempting to use get_all_secrets on any path, the system only returns all secrets in the root path, and does NOT respect any provided path.

When calling the client.get_all_secrets(environment="dev") we get the first set of secrets as SecretsBundle objects, as expected. It only returns however the data in / and not subfolders.

However, when we amend this request to try and pull a specific path, this does not happen. Instead, only root path items are returned, in violation of the documentation provided.

So, instead of getting something like this for the client.get_all_secrets(environment="dev", path="/redis/auth") request (command line representation of the result used here):

[SecretBundle(secret_name='PASSWORD', secret_value='ThisIsntARealCode', version=1, workspace='RandomHexValue', environment='dev', type='shared', created_at=None, updated_at=None, is_fallback=False, last_fetched_at=datetime.datetime(2023, 8, 26, 21, 22, 23, 855329))]

... we instead only get the output of the base directory at / which looks more like this:

[SecretBundle(secret_name='TEST1', secret_value='Test1', version=1, workspace='RandomHexValue', environment='dev', type='shared', created_at=None, updated_at=None, is_fallback=False, last_fetched_at=datetime.datetime(2023, 8, 26, 21, 21, 25, 490966)), SecretBundle(secret_name='TEST2', secret_value='Test2', version=1, workspace='RandomHexValue', environment='dev', type='shared', created_at=None, updated_at=None, is_fallback=False, last_fetched_at=datetime.datetime(2023, 8, 26, 21, 21, 25, 491557)), SecretBundle(secret_name='TEST3', secret_value='0123456789ABCDEF', version=1, workspace='RandomHexValue', environment='dev', type='shared', created_at=None, updated_at=None, is_fallback=False, last_fetched_at=datetime.datetime(2023, 8, 26, 21, 21, 25, 492098))]

... which is NOT the proper data to be displayed for that directory path.

Therefore, based on this text, the latest version of infisical-python on PyPI, and the Infisical Cloud instance I am using at the Free tier (this is NOT self-hosted), there is a major bug in the infisical-python code that prevents an advertised function and functionality from properly functioning as advertised.