| published by | Software Crafts |
|---|---|
| in blog | Software Crafts |
| original entry | Django and password manager SDKs |
In my current project, I'm going to be storing a fair number of different API credentials, first those that we own and then plenty of OAuth credentials from our customers. Today I am pondering the first scenario and wondering what how I can store these securely and with the prinicple of least privilege.
Currently I'm using django-allauth's socialaccount models to store these details, it's a nice abstraction and I can add relationships from my models to the models allauth provides to dynamically select the appropriate credentials I need to access the relevant API. However the secrets are stored in plain CharFields and are accessible from the admin. That's fine for now, but soon that's not going to fly.
I could store these as environment variables, but this goes against the current dynamic design of holding configuration in the database, which allows me to switch API clients and tokens without a code deploy. Last night I was listening to a 1password advert about their SDK which goes beyond a CLI interface allowing developers to interact with their platform. Bitwarden (my password manager of choice) also has this capability and this got me wondering, what would Django integration to these providers look like?
Off the top of my head there are a few possible integration points. First is via settings where we could dynamically allow Django access to a secret or set of secrets and then we only have to store a single access point outside of the manager; This is useful, not aligned to the design above. The other two integration points would be having either a SecretManager Model or SecretField. The model would provide a local proxy to interact with secrets (eg store extra metadata or related to from other models), but a certain fields (SecretField etc) would call out to the SDK to retrieve secrets, usernames or other details stored in the secure vault. The SecretField implementation is a smaller implementation that could be added to other normal models, where the local database stores the reference to the secret and then provides access to the secret via the SDK.
The interesting design here would be providing a python API that would allow a developer to choose a secrets backend for this model or field. I have listed 2 above, but I know the larger cloud providers have services like this, Hashicorp has Vault, Kubernetes likely has something as well, and there should probably be an option to fall back to a file or environment variables.
I would be interested to hear of similar work or packages if they exist! (A quick search on django packages reveals at least one package)