hush package

A Python library that helps manage secrets.

Uses the secret management tools (e.g. pass) specified by (internal and external) plugin hooks.

class Hush(namespace=(), *, user=None)[source]

Bases: object

Hush class to constrain context of get_secret() function.

Can be used as an alternative to calling this module’s global get_secret() function directly.

Parameters

  • namespace (Iterable[str]) –

  • user (Optional[str]) –

get_secret(key, namespace=(), *, user=None)[source]

Given a key, retrive a secret.

Note

  • The namespace argument, if provided, will be used to extend the namespace specified when initializing this class.

  • The user argument, if provided, will override the user specified when initializing this class.

Refer to help(hush.get_secret) for more information.

Parameters

  • key (str) –

  • namespace (Iterable[str]) –

  • user (Optional[str]) –

Return type

Optional[str]

get_secret(key, namespace=(), *, user=None)[source]

Given a key, retrieve a secret.

This function attempts to use every secret-retrieving method registered by plugins (internal and external) to obtain the desired secret.

Parameters

  • key (str) – The key that corresponds to the secret we are hoping to retrieve.

  • namespace (Iterable[str]) – The namespace that the secret belongs to (e.g. [“db”, “foobar”]). How this argument is used is specific to the tool being used to store and retrieve secrets (i.e. is specific to each hook implementation).

  • user (Optional[str]) – If this argument is provided, secret retrieving commands are run as user when possible. This option defaults to the value of the HUSH_USER envvar, if defined.

Return type

Optional[str]

Returns

The secret value returned by the first plugin to successfully retrieve the desired secret.

OR

None, if none of the registered plugins were able to retrieve the desired secret.