Metadata-Version: 2.4
Name: toolssecret
Version: 0.1.0
Summary: Tiny helper to fetch Google Secret Manager secrets with optional service account keyfile support.
Author: MH
License-Expression: MIT
Requires-Python: >=3.9
Description-Content-Type: text/markdown
License-File: LICENSE
Requires-Dist: google-cloud-secret-manager>=2.16.0
Requires-Dist: google-auth>=2.0.0
Dynamic: license-file

# toolssecret

Tiny helper to fetch secrets from **Google Secret Manager**, with optional support for:

- **ADC (Application Default Credentials)** _(default)_
- A **service account JSON keyfile** (`service_account_file`)
- A **service account info dict** (`service_account_info`) — useful for CI/CD where you inject JSON via env/secret manager

It’s designed so you can simply:

```python
from toolssecret import get_secret
```

## Install

### From pypi

```text
pip install toolssecret
```

## Usage

### 1) Using ADC (Application Default Credentials)

```python
from toolssecret import get_secret

value = get_secret(secret_name="api_key_test", project_id="myproject")
print(value)
```

### 2) Using a service account keyfile

```python
from toolssecret import get_secret

value = get_secret(
    secret_name="api_key_test",
    project_id="myproject",
    service_account_file="~/.config/gcloud/sa-keys/myserviceaccount.json",
)
print(value)
```

Notes:

- `service_account_file` supports `~` and environment variable expansion like `$HOME/...` (expanded by Python).

### 3) Using a service account info dict

This is useful when you keep the service account JSON in an environment variable or secret.

```python
import json
import os
from toolssecret import get_secret

sa_info = json.loads(os.environ["GCP_SA_JSON"])

value = get_secret(
    secret_name="api_key_test",
    project_id="myproject",
    service_account_info=sa_info,
)
print(value)
```

If you omit `project_id`, `toolssecret` will try to detect it in this order:

1. `GOOGLE_CLOUD_PROJECT`, `GCLOUD_PROJECT`, `GCP_PROJECT`
2. `service_account_info["project_id"]` (if provided)
3. `service_account_file`’s embedded project_id (if provided)
4. ADC project detection

## API

```python
get_secret(
  secret_name: str,
  project_id: Optional[str] = None,
  version_id: str = "latest",
  service_account_file: Optional[str] = None,
  service_account_info: Optional[dict] = None,
) -> str
```

- If both `service_account_info` and `service_account_file` are provided, **`service_account_info` wins**.
- Secrets are cached **in-memory per process** (cache key includes which credentials source was used).

## Security notes

- Avoid committing service account keyfiles to git.
- Prefer `service_account_info` sourced from a secure secret store (CI secrets, vault, etc.).
- `toolssecret` does not log secret values.
