Auth Token¶
The AuthTokenSecretKeeper
helps you to save the Auth Token or Access Token string to the OCI Vault service.
See API Documentation for more details
Save Credentials¶
AuthTokenSecretKeeper
¶
The AuthTokenSecretKeeper
constructor takes the following parameters:
auth_token
(str): Provide the Auth Token or Access Token string to be storedvault_id
(str): ocid of the vaultkey_id
(str): ocid of the master key used for encrypting the secretcompartment_id
(str, optional): Default is None. ocid of the compartment where the vault is located. This will be defaulted to the compartment of the Notebook session, if used within a OCI Data Science notebook session.
Save¶
The AuthTokenSecretKeeper.save
API serializes and stores the credentials to Vault. It takes following parameters -
name
(str): Name of the secret when saved in the vault.description
(str): Description of the secret when saved in the vault.freeform_tags
(dict, optional): Freeform tags to use when saving the secret in the OCI Console.defined_tags
(dict, optional.): Save the tags under predefined tags in the OCI Console.
The secret has following information:
auth_token
Examples¶
Save Auth Token¶
import ads
from ads.secrets.auth_token import AuthTokenSecretKeeper
ads.set_auth('resource_principal') # If using resource principal authentication
ocid_vault = "ocid1.vault...<unique_ID>"
ocid_master_key = "ocid1.key..<unique_ID>"
ocid_mycompartment = "ocid1.compartment..<unique_ID>"
authtoken2 = AuthTokenSecretKeeper(
vault_id=ocid_vault,
key_id=ocid_master_key,
compartment_id=ocid_mycompartment,
auth_token="<your_auth_token>"
).save(
"my_xyz_auth_token2",
"This is my key for git repo xyz",
freeform_tags={"gitrepo":"xyz"}
)
print(authtoken2.secret_id)
You can save the vault details in a file for later reference or using it within your code using export_vault_details
API. The API currently let us export the information as a yaml
file or a json
file.
authtoken2.export_vault_details("my_db_vault_info.json", format="json")
Save as a yaml
File¶
authtoken2.export_vault_details("my_db_vault_info.yaml", format="yaml")
Load Credentials¶
Load¶
The AuthTokenSecretKeeper.load_secret
API deserializes and loads the credentials from Vault. You could use this API in one of the following ways:
Using a with
Statement¶
with AuthTokenSecretKeeper.load_secret('ocid1.vaultsecret..<unique_ID>') as authtoken:
print(authtoken['user_name']
This approach is preferred as the secrets are only available within the code block and it reduces the risk that the variable will be leaked.
Without using a with
Statement¶
authtoken = AuthTokenSecretKeeper.load_secret('ocid1.vaultsecret..<unique_ID>')
authtokendict = authtoken.to_dict()
print(authtokendict['user_name'])
The .load_secret()
takes the following parameters:
auth
: Provide overriding authorization information if the authorization information is different from theads.set_auth
setting.export_env
: Default is False. If set to True, the credentials are exported as environment variable when used withexport_prefix
: The default name for environment variable is user_name, password, service_name, and wallet_location. You can add a prefix to avoid name collisionformat
: Optional. Ifsource
is a file, then this value must bejson
oryaml
depending on the file format.source
: Either the file that was exported fromexport_vault_details
or the OCID of the secretthe
with
operator.
Examples¶
Using a with
Statement¶
import ads
from ads.secrets.auth_token import AuthTokenSecretKeeper
ads.set_auth('resource_principal') # If using resource principal authentication
with AuthTokenSecretKeeper.load_secret(source="ocid1.vaultsecret..<unique_ID",
) as authtoken:
import os
print(f"Credentials inside `authtoken` object: {authtoken}")
Credentials inside `authtoken` object: {'auth_token': '<your_auth_token>'}
Export to Environment Variables Using a with
Statement¶
To expose credentials through environment variable, set export_env=True
. The following keys are exported -
Secret attribute |
Environment Variable Name |
---|---|
auth_token |
auth_token |
import ads
from ads.secrets.auth_token import AuthTokenSecretKeeper
import os
ads.set_auth('resource_principal') # If using resource principal authentication
with AuthTokenSecretKeeper.load_secret(
source="ocid1.vaultsecret..<unique_ID>",
export_env=True
):
print(os.environ.get("auth_token")) # Prints the auth token
print(os.environ.get("auth_token")) # Prints nothing. The credentials are cleared from the dictionary outside the ``with`` block
You can avoid name collisions by setting the prefix string using export_prefix
along with export_env=True
. For example, if you set the prefix to kafka
, the exported keys are:
Secret attribute |
Environment Variable Name |
---|---|
auth_token |
kafka.auth_token |
import ads
from ads.secrets.auth_token import AuthTokenSecretKeeper
import os
ads.set_auth('resource_principal') # If using resource principal authentication
with AuthTokenSecretKeeper.load_secret(
source="ocid1.vaultsecret..<unique_ID>",
export_env=True,
export_prefix="kafka"
):
print(os.environ.get("kafka.auth_token")) # Prints the auth token
print(os.environ.get("kafka.auth_token")) # Prints nothing. The credentials are cleared from the dictionary outside the ``with`` block