I still use Fabric for some deployment and systems administration tasks. Passing secrets or credentials is commonly part of those tasks and it brings up some issues that has been on my mind for quite a long time:
- Fabric's configuration file
fabfile.pyis under version control
- credentials must be kept out of version control
- credentials must not be stored in plain text on any computer
Setting environment variables is commonly required when dealing with AWS.
Duplicity (my backup tool of choice) makes use of them, especially when using the Amazon S3 backend.
The affected variables are
PASSPHRASE (for symmetric encryption via GPG).
So the goal was to keep those credentials out of version control, retrieve them from the system keyring service and set the environment variables before command execution.
A simple backup task
This simple task creates a backup with duplicity using it's S3 backend:
The task makes use of a custom Context Manager
duplicity_env which will be explained below.
Context Managers to the Rescue!
Context Managers for use with Python's
with statement are one of my favorite Fabric-features.
with statement ensures the execution of a specific setup and teardown block, regardless of whether the intended block fails or not. Classes only need to implement
As Fabric already comes along with it's own context manager for setting environment variables (called
shell_env), I decided to wrap the (internal)
_setenv method, instead of starting to implement the context manager as a class.
The python keyring library enables easy access to the system keyring service.
It works pretty well with OS X Keychain and GNOME Keyring, but should also work with the Windows Credential Vault (untestet by me).
The code above defines a dictionary
to_env that maps keychain identifiers to environment variables.
If the keyring does not contain the entry, it give some hints on how to add it.
OS X Keychain
The keyring library wraps OS X keychain entries like this:
- Field Name is the display name and can be changed
- Field Account matches
username, the second argument of
- Field Where matches
servicename, the first argument of
OS X may also bring up a popup to ask for keychain access.