GSOC 2020: Secrets Manager

Hello! :grin:

My name is Ashlah.

I also want to participate in Django’s Google Summer of Code. I pick the Secrets Manager topic from Django’s ideas list. I know there are some topics discussing this, but I think I have a different approach on how to tackle this problem.

My stands are based on these statements (emphasizes are mine):

… and provide secrets per environment - either as environment variables, files, or via a direct HTTP API. The project would be to design and add an abstraction interface over secrets managers that allows users to easily map to an external secret in a settings file. …

… the key thing we need to build and make sure is good, is the design of the API we give to people using Django, as that’s the thing that will be hardest to change later. …

… one thing users struggle with is keeping secrets out of settings files. So if we had a good story (with a nice API) and how you store secrets (in say a file that gets loaded into the environment) without other dependencies then that’s a big win.

The Django Way™ is to put such things in settings, but the whole(?) point of this is to keep values that would go into setting out of it.

My Idea

My idea is giving the developers an API using a module-level variable (similar to django.conf.settings), namely secrets, which can be used as a mapping object (similar to os.environ). Using this approach, developers can have access to their secrets anywhere by simply import and get the secrets by it’s key.

from django.conf.secrets import secrets

secrets['SECRET_KEY']

The source of secrets (files, HTTP API, or any other sources) can be defined through the SECRET_BACKENDS settings which contain the list of parameters of the secret backend classes that will be used.

SECRET_BACKENDS = [
    {
        'BACKEND': 'django.conf.secrets.backends.DotEnvSecret',
        'OPTIONS': {
            'PATH': secrets['DOTENV_PATH'],
        },
    },
    {
        'BACKEND': 'custom_secret_backends.GoogleSecretManager',
        'OPTIONS': {
            'URL': secrets['GOOGLE_SECRETS_URL'],
            'CREDENTIALS': secrets['GOOGLE_SECRETS_CREDENTIALS'],
        },
    },
]

The details of my idea can be found here: https://gist.github.com/hashlash/8b8988a19c7167b1b352c3284cda951f

If you have any feedback, I would love to hear it :heart:. I really appreciate it

Cheers,
Ashlah