Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add AWS SettingsManager support #175

Open
3 of 13 tasks
rishacha opened this issue Oct 6, 2023 · 2 comments
Open
3 of 13 tasks

Add AWS SettingsManager support #175

rishacha opened this issue Oct 6, 2023 · 2 comments

Comments

@rishacha
Copy link

rishacha commented Oct 6, 2023
edited

Initial Checks

  • I have searched Google & GitHub for similar requests and couldn't find anything
  • I have read and followed the docs and still think this feature is missing

Description

Can we add support for AWS SecretManager as a new pydantic source?
I have an idea of how to implement a custom source by looking at sources.py

Affected Components
@samuelcolvin
Copy link
Member

Sounds good to me 👍 PR welcome.

It should be fairly easy to copy other sources.

Is there good documentation on the AWS side?

@rishacha
Copy link
Author

rishacha commented Oct 8, 2023

There are 2 ways to retrieve secrets for python.

  1. Using the AWS SDK - i.e. boto3. So I will refer to the simpler boto3 client and this for the implementation.

  2. Using an LRU Cache based package - aws-secretsmanager-caching
    From their documentation -

When you retrieve a secret, you can use the Secrets Manager Python-based caching component to cache it for future use. Retrieving a cached secret is faster than retrieving it from Secrets Manager. Because there is a cost for calling Secrets Manager APIs, using a cache can reduce your costs. For all of the ways you can retrieve secrets, see Retrieve secrets.

The cache policy is Least Recently Used (LRU), so when the cache must discard a secret, it discards the least recently used secret. By default, the cache refreshes secrets every hour. You can configure how often the secret is refreshed in the cache, and you can hook into the secret retrieval to add more functionality.

The cache does not force garbage collection once cache references are freed. The cache implementation does not include cache invalidation. The cache implementation is focused around the cache itself, and is not security hardened or focused. If you require additional security such as encrypting items in the cache, use the interfaces and abstract methods provided.

Here, pydantic-settings would store it in memory instead of cache using the settings object which is an instantiation of the Settings() class however, I had a doubt regarding this

So should I use the AWS SDK to connect with the secret manager client or assume this cache-based method?

@samuelcolvin - Need some clarity on the approach. Thanks.

@rishacha rishacha mentioned this issue Oct 8, 2023
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@samuelcolvin @rishacha @dmontagu