Lightweight API to store/retrieve secrets to/from an encrypted Database
VaultAPI is designed to be extremely lightweight, secure, and easy to use. It provides cutting-edge security features like AES-GCM, Fernet encryption, and rate limiting all out of the box. It also includes transit encryption to ensure that the secrets are encrypted during transit to protect against man-in-the-middle attacks.
Platform Supported
Deployments
Recommendations
- Install
python3.10 or 3.11 - Use a dedicated virtual environment
Install VaultAPI
python -m pip install vaultapiInitiate - IDE
import vaultapi
if __name__ == '__main__':
vaultapi.start()Initiate - CLI
vaultapi startUse
vaultapi --helpfor usage instructions.
Sourcing environment variables from an env file
By default,
VaultAPIwill look for a.envfile in the current working directory.
Mandatory
- APIKEY - API Key for authentication.
- SECRET - Secret access key to encrypt/decrypt the secrets in the Datastore.
Optional (with defaults)
- TRANSIT_KEY_LENGTH - AES key length for transit encryption. Defaults to
32 - TRANSIT_TIME_BUCKET - Interval for which the transit epoch should remain constant. Defaults to
60 - AUTHORIZATION_VALIDITY - Time in seconds for which the authorization header is valid. Defaults to
30 - DATABASE - FilePath to store the secrets' database. Defaults to
secrets.db - HOST - Hostname for the API server. Defaults to
0.0.0.0[OR]localhost - PORT - Port number for the API server. Defaults to
9010 - WORKERS - Number of workers for the uvicorn server. Defaults to
1 - RATE_LIMIT - List of dictionaries with
max_requestsandsecondsto apply as rate limit. Defaults to 5req/2s [AND] 10req/30s
Optional (without defaults)
- LOG_CONFIG - FilePath or dictionary of key-value pairs for log config.
- ALLOWED_ORIGINS - List of origins that should be allowed through CORS.
Optional (UI integration)
- ENABLE_UI - Boolean flag to enable the UI. Defaults to
false - AUTH_DATABASE - FilePath to store the UI authentication database. Defaults to
auth.db - TOTP_TOKEN - Secret token for TOTP authentication in the UI. Can be generated using any TOTP generator app like
Google AuthenticatororAuthy. - UI_LIFETIME - Time in seconds for which the UI session should remain active. Defaults to
900(15 minutes)
Auto generate a SECRET value
This value will be used to encrypt/decrypt the secrets stored in the database.
CLI
vaultapi keygenIDE
from cryptography.fernet import Fernet
print(Fernet.generate_key())| Endpoint | Description | API method | Authorization Header |
|---|---|---|---|
/health |
API health endpoint | GET | N/A |
/get-secret |
Retrieve secrets (comma separated list) | GET | HMAC-SHA512(apikey+timestamp) |
/get-table |
Get ALL the secrets stored in a table | GET | HMAC-SHA512(apikey+timestamp) |
/list-tables |
List all available tables | GET | HMAC-SHA512(apikey+timestamp) |
/create-table |
Create a new table | POST | HMAC-SHA512(apikey+timestamp) |
/put-secret |
Store or update a secret (key-value pairs) | PUT | HMAC-SHA512(apikey+secret+timestamp) |
/delete-secret |
Delete a specific secret | DELETE | HMAC-SHA512(apikey+secret+timestamp) |
/delete-table |
Deletes an existing table | DELETE | HMAC-SHA512(apikey+secret+timestamp) |
/rename-table |
Renames an existing table | PATCH | HMAC-SHA512(apikey+secret+timestamp) |
Clients are available in multiple languages to interact with the API server.
Python: VaultAPI-Client-python
Rust: VaultAPI-Client-rust
Checkout decryptors for on-demand scripts to decrypt the secrets retrieved from the API.
Docstring format: Google
Styling conventions: PEP 8 and isort
Requirement
python -m pip install gitverseUsage
gitverse-release reverse -f release_notes.rst -t 'Release Notes'pre-commit will ensure linting, run pytest, generate runbook & release notes, and validate hyperlinks in ALL
markdown files (including Wiki pages)
Requirement
python -m pip install sphinx==5.1.1 pre-commit recommonmarkUsage
pre-commit run --all-fileshttps://pypi.org/project/VaultAPI/
https://hub.docker.com/r/thevickypedia/vaultapi
https://thevickypedia.github.io/VaultAPI/
Β© Vignesh Rao
Licensed under the MIT License