VaultAPI

Lightweight API to store/retrieve secrets to/from an encrypted Database

VaultAPI is designed to be extremely lightweight, secure, and easy to use. It provides cutting edge security features like AES encryption, IP-based access control, and rate limiting all out of the box. It also includes transit encryption to ensure that the secrets are encrypted during transit to protect against man-in-the-middle attacks.

Platform Supported

Deployments

Kick off

Recommendations

• Install python 3.10 or 3.11
• Use a dedicated virtual environment

Install VaultAPI

python -m pip install vaultapi

Initiate - IDE

import vaultapi

if __name__ == '__main__':
    vaultapi.start()

Initiate - CLI

vaultapi start

Use vaultapi --help for usage instructions.

Environment Variables

Sourcing environment variables from an env file

By default, VaultAPI will look for a .env file in the current working directory.

Mandatory

• APIKEY - API Key for authentication.
• SECRET - Secret access key to encode/decode the secrets in Datastore.

Optional (with defaults)

• TRANSIT_KEY_LENGTH - AES key length for transit encryption. Defaults to 32
• TRANSIT_TIME_BUCKET - Interval for which the transit epoch should remain constant. Defaults to 60
• DATABASE - FilePath to store the secrets' database. Defaults to secrets.db
• HOST - Hostname for the API server. Defaults to 0.0.0.0 [OR] localhost
• PORT - Port number for the API server. Defaults to 9010
• WORKERS - Number of workers for the uvicorn server. Defaults to 1
• RATE_LIMIT - List of dictionaries with max_requests and seconds to apply as rate limit. Defaults to 5req/2s [AND] 10req/30s
• ALLOW_PUBLIC_IP - Boolean flag to allow connections via public IP. Defaults to false
• ALLOW_PRIVATE_IP - Boolean flag to allow connections via private IP. Defaults to false
• ALLOW_PRIVATE_IP_RANGE - Boolean flag to allow connections via any private IP address (1-256) within range. Defaults to false

Optional (without defaults)

• LOG_CONFIG - FilePath or dictionary of key-value pairs for log config.
• ALLOWED_ORIGINS - Origins that are allowed to retrieve secrets.
• ALLOWED_IP_RANGE - IP range that is allowed to retrieve secrets. (eg: 10.112.8.10-210)

Optional (UI integration)

• ENABLE_UI - Boolean flag to enable the UI. Defaults to false
• TOTP_TOKEN - Secret token for TOTP authentication in the UI. Can be generated using any TOTP generator app like Google Authenticator or Authy.
• UI_LIFETIME - Time in seconds for which the UI session should remain active. Defaults to 900 (15 minutes)

Checkout decryptors for more information about decrypting the retrieved secret from the server.

Auto generate a SECRET value

This value will be used to encrypt/decrypt the secrets stored in the database.

CLI

vaultapi keygen

IDE

from cryptography.fernet import Fernet
print(Fernet.generate_key())

API Functionality

Endpoint	Description	API method
/health	API health endpoint	GET
/get-secret	Retrieve secrets (comma separated list)	GET
/get-table	Get ALL the secrets stored in a table	GET
/list-tables	List all available tables	GET
/put-secret	Store or update a secret (key-value pairs)	PUT
/delete-secret	Delete a specific secret	DELETE
/create-table	Create a new table	POST
/delete-table	Deletes an existing table	DELETE

Coding Standards

Docstring format: Google
Styling conventions: PEP 8 and isort

Release Notes

Requirement

python -m pip install gitverse

Usage

gitverse-release reverse -f release_notes.rst -t 'Release Notes'

Linting

pre-commit will ensure linting, run pytest, generate runbook & release notes, and validate hyperlinks in ALL markdown files (including Wiki pages)

Requirement

python -m pip install sphinx==5.1.1 pre-commit recommonmark

Usage

pre-commit run --all-files

Pypi Package

https://pypi.org/project/VaultAPI/

Docker Image

https://hub.docker.com/r/thevickypedia/vaultapi

Runbook

https://thevickypedia.github.io/VaultAPI/

License & copyright

© Vignesh Rao

Licensed under the MIT License