Usage

Hush can be thought of as a secrets manager, but it is more appropriate to think of it as a manager of other secret managers.

Keep in mind the following notes while reading the rest of the documentation:

  • This package provides both a library and an executable, named hush, that can be used to test this package’s functionality.

  • Hush has multiple builtin plugins which are enabled by default (i.e. we will attempt to use them, by default, when a user requests secret retrieval).

  • In the examples in this documentation, we will make use of a builtin plugin that reads secrets from environment variables.

Using the Library

The hush library provides two public methods to access its functionality: the hush.get_secret() function and the hush.Hush() class. We demonstrate how each can be used in the examples below.

Examples

import os

from hush import Hush, get_secret


# To retrieve a secret we must provide Hush with a key to associate with that
# secret. Below, that key is 'foobar'.
os.environ["FOOBAR"] = "Kung Fooooo!"
secret = get_secret("foobar")
print(secret)  # output: Kung Fooooo!

# A secret can optionally belong to a particular namespace. A namespace is a
# listing of names that are generally combined with the key somehow, but
# ultimately it is up to each plugin to decide how it wants to handle namespaces
# (if it chooses to handle them at all).
os.environ["DB_DEV_FOOBAR"] = "Database in Development!"
secret = get_secret("foobar", ["db", "dev"])
print(secret)  # output: Database in Development!

# The Hush class can be used to constrain the context (i.e. paramaters) for the
# `get_secret()` function (which the `Hush.get_secret()` method wraps).
hush = Hush(namespace=["db", "dev"])
secret = hush.get_secret("foobar")
print(secret)  # output: Database in Development!

Using the hush Script

This package also comes with an executable script, hush, that can be used to invoke Hush from the command-line.

Examples

Add secrets using environment variables:

$ export FOOBAR="Kung Fooooo!"
$ export DB_DEV_FOOBAR="Database in Development!"

Use hush to retrieve those secrets:

$ hush foobar
Kung Fooooo!

$ hush --namespace=db,dev foobar
Database in Development!