waft.configuration.secrets_manager.secrets_api module

High-Level Secrets API

Provides simple, intuitive APIs for common secret management operations. Builds on the existing secrets manager infrastructure.

class waft.configuration.secrets_manager.secrets_api.SecretsAPI(provider: str | None = None, vault_name: str | None = None, client: SecretsManagerClient | None = None)

Bases: object

High-level API for secret management operations.

read_secret(secret_name: str, path: str | None = None) str

Read a secret value from the provider.

Parameters:

  • secret_name – Name of the secret to retrieve

  • path – Optional path (for future provider compatibility)

Returns:

The secret value as a string

Raises:

RuntimeError – If operation fails

save_secret_to_file(secret_name: str, output_file: Path, path: str | None = None, permissions: int = 384) None

Save a secret to a file.

Parameters:

  • secret_name – Name of the secret to retrieve

  • output_file – Path to save the secret to

  • path – Optional path (for future provider compatibility)

  • permissions – File permissions for the output file (default: 0o600)

Raises:

RuntimeError – If operation fails

setup_ssh_key(secret_name: str, key_file: Path, path: str | None = None) None

Set up an SSH key from a secret provider.

This is a convenience method that’s equivalent to save_secret_to_file with SSH key permissions.

Parameters:

  • secret_name – Name of the SSH key secret

  • key_file – Path to save the SSH key

  • path – Optional path (for future provider compatibility)

Raises:

RuntimeError – If operation fails