0
# Cloud Secret Management
1
2
Integration with major cloud providers' secret management services including AWS Secrets Manager, Azure Key Vault, and Google Secret Manager. These sources enable secure configuration management in cloud environments with automatic credential handling and secret retrieval.
3
4
## Capabilities
5
6
### AWS Secrets Manager Source
7
8
Load settings from AWS Secrets Manager with support for automatic credential detection and JSON secret parsing.
9
10
```python { .api }
11
class AWSSecretsManagerSettingsSource(EnvSettingsSource):
12
"""Source for AWS Secrets Manager."""
13
14
def __init__(
15
self,
16
settings_cls: type[BaseSettings],
17
aws_secret_name: str | None = None,
18
aws_secret_key: str | None = None,
19
aws_session_token: str | None = None,
20
aws_access_key_id: str | None = None,
21
aws_secret_access_key: str | None = None,
22
aws_region_name: str | None = None,
23
case_sensitive: bool | None = None,
24
env_prefix: str | None = None,
25
env_nested_delimiter: str | None = None,
26
env_nested_max_split: int | None = None,
27
env_ignore_empty: bool | None = None,
28
env_parse_none_str: str | None = None,
29
env_parse_enums: bool | None = None,
30
):
31
"""
32
Initialize AWS Secrets Manager settings source.
33
34
Parameters:
35
- settings_cls: The settings class
36
- aws_secret_name: Name of the secret in AWS Secrets Manager
37
- aws_secret_key: Specific key within the secret (for JSON secrets)
38
- aws_session_token: AWS session token for authentication
39
- aws_access_key_id: AWS access key ID
40
- aws_secret_access_key: AWS secret access key
41
- aws_region_name: AWS region name
42
- case_sensitive: Whether secret keys are case-sensitive
43
- env_prefix: Prefix for secret keys
44
- env_nested_delimiter: Delimiter for nested secret values
45
- env_nested_max_split: Maximum splits for nested values
46
- env_ignore_empty: Whether to ignore empty secret values
47
- env_parse_none_str: String value to parse as None
48
- env_parse_enums: Whether to parse enum field names to values
49
"""
50
```
51
52
### Azure Key Vault Source
53
54
Load settings from Azure Key Vault with support for managed identity authentication and secret versioning.
55
56
```python { .api }
57
class AzureKeyVaultSettingsSource(EnvSettingsSource):
58
"""Source for Azure Key Vault."""
59
60
def __init__(
61
self,
62
settings_cls: type[BaseSettings],
63
azure_key_vault_url: str | None = None,
64
azure_client_id: str | None = None,
65
azure_client_secret: str | None = None,
66
azure_tenant_id: str | None = None,
67
case_sensitive: bool | None = None,
68
env_prefix: str | None = None,
69
env_nested_delimiter: str | None = None,
70
env_nested_max_split: int | None = None,
71
env_ignore_empty: bool | None = None,
72
env_parse_none_str: str | None = None,
73
env_parse_enums: bool | None = None,
74
):
75
"""
76
Initialize Azure Key Vault settings source.
77
78
Parameters:
79
- settings_cls: The settings class
80
- azure_key_vault_url: URL of the Azure Key Vault
81
- azure_client_id: Azure client ID for service principal auth
82
- azure_client_secret: Azure client secret for service principal auth
83
- azure_tenant_id: Azure tenant ID
84
- case_sensitive: Whether secret names are case-sensitive
85
- env_prefix: Prefix for secret names
86
- env_nested_delimiter: Delimiter for nested secret values
87
- env_nested_max_split: Maximum splits for nested values
88
- env_ignore_empty: Whether to ignore empty secret values
89
- env_parse_none_str: String value to parse as None
90
- env_parse_enums: Whether to parse enum field names to values
91
"""
92
93
class AzureKeyVaultMapping(Mapping[str, Optional[str]]):
94
"""Mapping interface for Azure Key Vault secrets."""
95
96
def __init__(
97
self,
98
vault_url: str,
99
credential: Any,
100
case_sensitive: bool = False,
101
env_prefix: str = "",
102
): ...
103
```
104
105
### Google Secret Manager Source
106
107
Load settings from Google Secret Manager with support for service account authentication and project-based secret access.
108
109
```python { .api }
110
class GoogleSecretManagerSettingsSource(EnvSettingsSource):
111
"""Source for Google Secret Manager."""
112
113
def __init__(
114
self,
115
settings_cls: type[BaseSettings],
116
gcp_project_id: str | None = None,
117
gcp_secret_name: str | None = None,
118
gcp_secret_version: str | None = None,
119
case_sensitive: bool | None = None,
120
env_prefix: str | None = None,
121
env_nested_delimiter: str | None = None,
122
env_nested_max_split: int | None = None,
123
env_ignore_empty: bool | None = None,
124
env_parse_none_str: str | None = None,
125
env_parse_enums: bool | None = None,
126
):
127
"""
128
Initialize Google Secret Manager settings source.
129
130
Parameters:
131
- settings_cls: The settings class
132
- gcp_project_id: Google Cloud project ID
133
- gcp_secret_name: Name of the secret in Secret Manager
134
- gcp_secret_version: Version of the secret (defaults to 'latest')
135
- case_sensitive: Whether secret names are case-sensitive
136
- env_prefix: Prefix for secret names
137
- env_nested_delimiter: Delimiter for nested secret values
138
- env_nested_max_split: Maximum splits for nested values
139
- env_ignore_empty: Whether to ignore empty secret values
140
- env_parse_none_str: String value to parse as None
141
- env_parse_enums: Whether to parse enum field names to values
142
"""
143
144
class GoogleSecretManagerMapping(Mapping[str, Optional[str]]):
145
"""Mapping interface for Google Secret Manager secrets."""
146
147
def __init__(
148
self,
149
project_id: str,
150
secret_name: str | None = None,
151
secret_version: str = "latest",
152
case_sensitive: bool = False,
153
env_prefix: str = "",
154
): ...
155
```
156
157
## Usage Examples
158
159
### AWS Secrets Manager Basic Usage
160
161
```python
162
from pydantic_settings import BaseSettings, SettingsConfigDict
163
from pydantic_settings import AWSSecretsManagerSettingsSource
164
165
class AppSettings(BaseSettings):
166
database_url: str
167
api_key: str
168
debug: bool = False
169
170
@classmethod
171
def settings_customise_sources(
172
cls,
173
settings_cls,
174
init_settings,
175
env_settings,
176
dotenv_settings,
177
file_secret_settings,
178
):
179
return (
180
init_settings,
181
AWSSecretsManagerSettingsSource(
182
settings_cls,
183
aws_secret_name="myapp/production/config",
184
aws_region_name="us-east-1"
185
),
186
env_settings,
187
dotenv_settings,
188
file_secret_settings,
189
)
190
191
# Requires boto3 and AWS credentials configured
192
# Secret in AWS: {"database_url": "postgresql://...", "api_key": "secret123"}
193
settings = AppSettings()
194
```
195
196
### AWS Secrets Manager with Specific Key
197
198
```python
199
class DatabaseSettings(BaseSettings):
200
host: str
201
port: int
202
username: str
203
password: str
204
205
@classmethod
206
def settings_customise_sources(
207
cls,
208
settings_cls,
209
init_settings,
210
env_settings,
211
dotenv_settings,
212
file_secret_settings,
213
):
214
return (
215
init_settings,
216
AWSSecretsManagerSettingsSource(
217
settings_cls,
218
aws_secret_name="myapp/database",
219
aws_secret_key="production", # Load from "production" key in JSON
220
aws_region_name="us-west-2"
221
),
222
env_settings,
223
)
224
225
# AWS Secret structure:
226
# {
227
# "production": {
228
# "host": "prod-db.company.com",
229
# "port": 5432,
230
# "username": "app_user",
231
# "password": "secure_password"
232
# },
233
# "staging": { ... }
234
# }
235
settings = DatabaseSettings()
236
```
237
238
### AWS with Custom Credentials
239
240
```python
241
class AppSettings(BaseSettings):
242
api_token: str
243
service_url: str
244
245
@classmethod
246
def settings_customise_sources(
247
cls,
248
settings_cls,
249
init_settings,
250
env_settings,
251
dotenv_settings,
252
file_secret_settings,
253
):
254
return (
255
init_settings,
256
AWSSecretsManagerSettingsSource(
257
settings_cls,
258
aws_secret_name="myapp/api-config",
259
aws_access_key_id="AKIA...",
260
aws_secret_access_key="...",
261
aws_region_name="eu-west-1"
262
),
263
env_settings,
264
)
265
266
settings = AppSettings()
267
```
268
269
### Azure Key Vault Basic Usage
270
271
```python
272
from pydantic_settings import AzureKeyVaultSettingsSource
273
274
class AppSettings(BaseSettings):
275
database_password: str
276
api_key: str
277
encryption_key: str
278
279
@classmethod
280
def settings_customise_sources(
281
cls,
282
settings_cls,
283
init_settings,
284
env_settings,
285
dotenv_settings,
286
file_secret_settings,
287
):
288
return (
289
init_settings,
290
AzureKeyVaultSettingsSource(
291
settings_cls,
292
azure_key_vault_url="https://myapp-vault.vault.azure.net/",
293
azure_tenant_id="12345678-1234-1234-1234-123456789012"
294
),
295
env_settings,
296
)
297
298
# Requires azure-keyvault-secrets and azure-identity packages
299
# Uses DefaultAzureCredential for authentication (managed identity, etc.)
300
settings = AppSettings()
301
```
302
303
### Azure Key Vault with Service Principal
304
305
```python
306
class ProductionSettings(BaseSettings):
307
db_connection_string: str
308
jwt_secret: str
309
310
@classmethod
311
def settings_customise_sources(
312
cls,
313
settings_cls,
314
init_settings,
315
env_settings,
316
dotenv_settings,
317
file_secret_settings,
318
):
319
return (
320
init_settings,
321
AzureKeyVaultSettingsSource(
322
settings_cls,
323
azure_key_vault_url="https://prod-vault.vault.azure.net/",
324
azure_client_id="app-service-principal-id",
325
azure_client_secret="service-principal-secret",
326
azure_tenant_id="company-tenant-id"
327
),
328
env_settings,
329
)
330
331
settings = ProductionSettings()
332
```
333
334
### Google Secret Manager Basic Usage
335
336
```python
337
from pydantic_settings import GoogleSecretManagerSettingsSource
338
339
class AppSettings(BaseSettings):
340
database_url: str
341
api_key: str
342
encryption_key: str
343
344
@classmethod
345
def settings_customise_sources(
346
cls,
347
settings_cls,
348
init_settings,
349
env_settings,
350
dotenv_settings,
351
file_secret_settings,
352
):
353
return (
354
init_settings,
355
GoogleSecretManagerSettingsSource(
356
settings_cls,
357
gcp_project_id="my-gcp-project",
358
gcp_secret_name="myapp-config"
359
),
360
env_settings,
361
)
362
363
# Requires google-cloud-secret-manager package
364
# Uses Application Default Credentials or service account
365
settings = AppSettings()
366
```
367
368
### Google Secret Manager with Specific Version
369
370
```python
371
class AppSettings(BaseSettings):
372
api_key: str
373
database_password: str
374
375
@classmethod
376
def settings_customise_sources(
377
cls,
378
settings_cls,
379
init_settings,
380
env_settings,
381
dotenv_settings,
382
file_secret_settings,
383
):
384
return (
385
init_settings,
386
GoogleSecretManagerSettingsSource(
387
settings_cls,
388
gcp_project_id="production-project",
389
gcp_secret_name="app-secrets",
390
gcp_secret_version="3" # Use specific version instead of 'latest'
391
),
392
env_settings,
393
)
394
395
settings = AppSettings()
396
```
397
398
### Multi-Cloud Configuration
399
400
```python
401
class MultiCloudSettings(BaseSettings):
402
# Different secrets from different providers
403
aws_api_key: str # From AWS Secrets Manager
404
azure_db_password: str # From Azure Key Vault
405
gcp_service_token: str # From Google Secret Manager
406
407
@classmethod
408
def settings_customise_sources(
409
cls,
410
settings_cls,
411
init_settings,
412
env_settings,
413
dotenv_settings,
414
file_secret_settings,
415
):
416
return (
417
init_settings,
418
# AWS for API keys
419
AWSSecretsManagerSettingsSource(
420
settings_cls,
421
aws_secret_name="myapp/aws-config",
422
aws_region_name="us-east-1",
423
env_prefix="aws_"
424
),
425
# Azure for database secrets
426
AzureKeyVaultSettingsSource(
427
settings_cls,
428
azure_key_vault_url="https://db-vault.vault.azure.net/",
429
env_prefix="azure_"
430
),
431
# GCP for service tokens
432
GoogleSecretManagerSettingsSource(
433
settings_cls,
434
gcp_project_id="services-project",
435
gcp_secret_name="service-tokens",
436
env_prefix="gcp_"
437
),
438
env_settings,
439
)
440
441
settings = MultiCloudSettings()
442
```
443
444
### Cloud Secrets with Environment Override
445
446
```python
447
class FlexibleSettings(BaseSettings):
448
database_url: str
449
api_key: str
450
debug: bool = False
451
452
@classmethod
453
def settings_customise_sources(
454
cls,
455
settings_cls,
456
init_settings,
457
env_settings,
458
dotenv_settings,
459
file_secret_settings,
460
):
461
# Environment variables take precedence over cloud secrets
462
return (
463
init_settings,
464
env_settings, # Highest priority
465
AWSSecretsManagerSettingsSource(
466
settings_cls,
467
aws_secret_name="myapp/config",
468
aws_region_name="us-east-1"
469
),
470
dotenv_settings,
471
file_secret_settings,
472
)
473
474
# Can override cloud secrets with environment variables
475
# export DATABASE_URL="postgresql://localhost/dev" # Overrides AWS secret
476
settings = FlexibleSettings()
477
```
478
479
### Error Handling with Cloud Secrets
480
481
```python
482
from pydantic_settings import SettingsError
483
484
class RobustSettings(BaseSettings):
485
api_key: str
486
database_url: str
487
488
@classmethod
489
def settings_customise_sources(
490
cls,
491
settings_cls,
492
init_settings,
493
env_settings,
494
dotenv_settings,
495
file_secret_settings,
496
):
497
return (
498
init_settings,
499
env_settings,
500
# Fallback to local secrets if cloud fails
501
file_secret_settings,
502
dotenv_settings,
503
)
504
505
# Handle cloud provider authentication/access issues
506
try:
507
settings = RobustSettings()
508
except SettingsError as e:
509
print(f"Failed to load settings: {e}")
510
# Fallback to environment variables or local files
511
import os
512
os.environ['API_KEY'] = 'fallback-key'
513
settings = RobustSettings()
514
```