turtlemonvh/ionic_secrets_storage.py

## ionic_secrets_storage.py
import ionicsdk
import subprocess
import os

"""
Use Ionic to store secrets (e.g. application credentils).
Shows how to merge keys containing different sets of secrets, so an application can be granted access to different sets of secrets, managed by different access policies.
Note that if multiple keys are created with the same external id, the newest will be fetched, which makes secret rotation easier.

Inspired by AWS ParamStore:
https://aws.amazon.com/blogs/mt/the-right-way-to-store-secrets-using-parameter-store/

The usual caveats about managing secrets via env vars apply:
https://diogomonica.com/2017/03/27/why-you-shouldnt-use-env-variables-for-secret-data/

Documentation / sign up: https://dev.ionic.com/sdk/features
Get SDKs: https://dev-dashboard.ionic.com/#/downloads?tenant=5640bb430ea2684423e0655c
Or from PyPi: https://pypi.org/project/ionicsdk/
"""

# Create agent
a = ionicsdk.Agent()

# Create keys to hold passwords
a.createkey({"ionic-external-id": "tvh-pw-a"}, mutableAttributes={"ionic-protected-pw1": "pw1-val", "ionic-protected-pw2": "pw2-val"})
a.createkey({"ionic-external-id": "tvh-pw-b"}, mutableAttributes={"ionic-protected-pw3": "pw3-val", "ionic-protected-pw2": "pw2-val-b"})

# Grab keys
kdata, kquery, kerr = a.getkeys2([], externalkeyids=["tvh-pw-a", "tvh-pw-b"])

# Merge results in order
pwenv = dict((k[16:].upper(),v[0].upper()) for kd in kdata for (k,v) in kd.mutableAttributes.items() if k.startswith("ionic-protected-") )

# Run a command using this environment.
# Update with env vars already in scope.
# Passwords are set as additional environment variables, and are thus in scope for use by applications.
subprocess.run(["env"], env={**os.environ, **pwenv})
	import ionicsdk
	import subprocess
	import os

	"""
	Use Ionic to store secrets (e.g. application credentils).
	Shows how to merge keys containing different sets of secrets, so an application can be granted access to different sets of secrets, managed by different access policies.
	Note that if multiple keys are created with the same external id, the newest will be fetched, which makes secret rotation easier.

	Inspired by AWS ParamStore:
	https://aws.amazon.com/blogs/mt/the-right-way-to-store-secrets-using-parameter-store/

	The usual caveats about managing secrets via env vars apply:
	https://diogomonica.com/2017/03/27/why-you-shouldnt-use-env-variables-for-secret-data/

	Documentation / sign up: https://dev.ionic.com/sdk/features
	Get SDKs: https://dev-dashboard.ionic.com/#/downloads?tenant=5640bb430ea2684423e0655c
	Or from PyPi: https://pypi.org/project/ionicsdk/
	"""

	# Create agent
	a = ionicsdk.Agent()

	# Create keys to hold passwords
	a.createkey({"ionic-external-id": "tvh-pw-a"}, mutableAttributes={"ionic-protected-pw1": "pw1-val", "ionic-protected-pw2": "pw2-val"})
	a.createkey({"ionic-external-id": "tvh-pw-b"}, mutableAttributes={"ionic-protected-pw3": "pw3-val", "ionic-protected-pw2": "pw2-val-b"})

	# Grab keys
	kdata, kquery, kerr = a.getkeys2([], externalkeyids=["tvh-pw-a", "tvh-pw-b"])

	# Merge results in order
	pwenv = dict((k[16:].upper(),v[0].upper()) for kd in kdata for (k,v) in kd.mutableAttributes.items() if k.startswith("ionic-protected-") )

	# Run a command using this environment.
	# Update with env vars already in scope.
	# Passwords are set as additional environment variables, and are thus in scope for use by applications.
	subprocess.run(["env"], env={os.environ, pwenv})