Auth Token
The AuthTokenSecretKeeper
helps you to save the Auth Token or Access Token string to the OCI Vault service.
See API Documentation for more details
Save Credentials
AuthTokenSecretKeeper
The AuthTokenSecretKeeper
constructor takes the following parameters:
auth_token
(str): Provide the Auth Token or Access Token string to be storedvault_id
(str): ocid of the vaultkey_id
(str): ocid of the master key used for encrypting the secretcompartment_id
(str, optional): Default is None. ocid of the compartment where the vault is located. This will be defaulted to the compartment of the Notebook session, if used within a OCI Data Science notebook session.
Save
The AuthTokenSecretKeeper.save
API serializes and stores the credentials to Vault. It takes following parameters -
name
(str): Name of the secret when saved in the vault.description
(str): Description of the secret when saved in the vault.freeform_tags
(dict, optional): Freeform tags to use when saving the secret in the OCI Console.defined_tags
(dict, optional.): Save the tags under predefined tags in the OCI Console.
The secret has following information:
auth_token
Examples
Save Auth Token
import ads
from ads.secrets.auth_token import AuthTokenSecretKeeper
ads.set_auth('resource_principal') # If using resource principal authentication
ocid_vault = "ocid1.vault...<unique_ID>"
ocid_master_key = "ocid1.key..<unique_ID>"
ocid_mycompartment = "ocid1.compartment..<unique_ID>"
authtoken2 = AuthTokenSecretKeeper(
vault_id=ocid_vault,
key_id=ocid_master_key,
compartment_id=ocid_mycompartment,
auth_token="<your_auth_token>"
).save(
"my_xyz_auth_token2",
"This is my key for git repo xyz",
freeform_tags={"gitrepo":"xyz"}
)
print(authtoken2.secret_id)
You can save the vault details in a file for later reference or using it within your code using export_vault_details
API. The API currently let us export the information as a yaml
file or a json
file.
authtoken2.export_vault_details("my_db_vault_info.json", format="json")
Save as a yaml
File
authtoken2.export_vault_details("my_db_vault_info.yaml", format="yaml")
Load Credentials
Load
The AuthTokenSecretKeeper.load_secret
API deserializes and loads the credentials from Vault. You could use this API in one of the following ways:
Using a with
Statement
with AuthTokenSecretKeeper.load_secret('ocid1.vaultsecret..<unique_ID>') as authtoken:
print(authtoken['user_name']
This approach is preferred as the secrets are only available within the code block and it reduces the risk that the variable will be leaked.
Without using a with
Statement
authtoken = AuthTokenSecretKeeper.load_secret('ocid1.vaultsecret..<unique_ID>')
authtokendict = authtoken.to_dict()
print(authtokendict['user_name'])
The .load_secret()
takes the following parameters:
auth
: Provide overriding authorization information if the authorization information is different from theads.set_auth
setting.export_env
: Default is False. If set to True, the credentials are exported as environment variable when used withexport_prefix
: The default name for environment variable is user_name, password, service_name, and wallet_location. You can add a prefix to avoid name collisionformat
: Optional. Ifsource
is a file, then this value must bejson
oryaml
depending on the file format.source
: Either the file that was exported fromexport_vault_details
or the OCID of the secretthe
with
operator.
Examples
Using a with
Statement
import ads
from ads.secrets.auth_token import AuthTokenSecretKeeper
ads.set_auth('resource_principal') # If using resource principal authentication
with AuthTokenSecretKeeper.load_secret(source="ocid1.vaultsecret..<unique_ID",
) as authtoken:
import os
print(f"Credentials inside `authtoken` object: {authtoken}")
Credentials inside `authtoken` object: {'auth_token': '<your_auth_token>'}
Export to Environment Variables Using a with
Statement
To expose credentials through environment variable, set export_env=True
. The following keys are exported -
Secret attribute |
Environment Variable Name |
---|---|
auth_token |
auth_token |
import ads
from ads.secrets.auth_token import AuthTokenSecretKeeper
import os
ads.set_auth('resource_principal') # If using resource principal authentication
with AuthTokenSecretKeeper.load_secret(
source="ocid1.vaultsecret..<unique_ID>",
export_env=True
):
print(os.environ.get("auth_token")) # Prints the auth token
print(os.environ.get("auth_token")) # Prints nothing. The credentials are cleared from the dictionary outside the ``with`` block
You can avoid name collisions by setting the prefix string using export_prefix
along with export_env=True
. For example, if you set the prefix to kafka
, the exported keys are:
Secret attribute |
Environment Variable Name |
---|---|
auth_token |
kafka.auth_token |
import ads
from ads.secrets.auth_token import AuthTokenSecretKeeper
import os
ads.set_auth('resource_principal') # If using resource principal authentication
with AuthTokenSecretKeeper.load_secret(
source="ocid1.vaultsecret..<unique_ID>",
export_env=True,
export_prefix="kafka"
):
print(os.environ.get("kafka.auth_token")) # Prints the auth token
print(os.environ.get("kafka.auth_token")) # Prints nothing. The credentials are cleared from the dictionary outside the ``with`` block