A custom Django field for storing and securely accessing a 1Password vault item.
Project description
django-opfield
A custom Django field that integrates with the 1Password op
CLI to securely access secrets via the op://
secret reference URI.
Requirements
- Python 3.8, 3.9, 3.10, 3.11, 3.12
- Django 4.2, 5.0
- 1Password CLI and a 1Password Service Account
Getting Started
-
Install the package from PyPI:
python -m pip install django-opfield
-
Install the 1Password
op
CLI tool, making sure it is callable from wherever your application is running. -
Create a 1Password service account and make the service account's token available to your application.
Choose one option:
-
Set the
OP_SERVICE_ACCOUNT_TOKEN
environment variable -
Configure in your application's
settings.py
:# settings.py DJANGO_OPFIELD = { # Explicitly set here only as an example # Use whatever configuration/environment library you prefer # (`python-dotenv`, `django-environs`, `environs`, etc.) "OP_SERVICE_ACCOUNT_TOKEN": "super-secret-token", }
-
Usage
OPField
allows Django models to securely access secrets stored in a 1Password vault, enabling the integration of sensitive data without exposing it directly in your codebase. Secrets are stored using the op://
URI scheme and can be retrieved dynamically using a corresponding model attribute, <field_name>_secret
.
Defining a model
First, let's define a model that includes the OPField
. This field will store the reference to the secret in 1Password, not the secret itself.
from django.db import models
from django_opfield.fields import OPField
class APIService(models.Model):
name = models.CharField(max_length=255)
api_key = OPField()
def __str__(self):
return self.name
Accessing the secret
Assume you have a secret API key stored in a 1Password vault named "my_vault" under the item "my_api" with the field "api_key". Here's how you can store and access this secret within your Django project:
>>> from example.models import APIService
>>> my_api = APIService.objects.create(
... name="My API", api_key="op://my_vault/my_api/api_key"
... )
>>> print(my_api)
<APIService: My API>
>>> print(my_api.name)
'My API'
>>> print(my_api.api_key)
'op://my_vault/my_api/api_key'
>>> # Retrieving the actual secret value is done using the automatically generated '_secret' attribute
>>> print(my_api.api_key_secret)
'your_super_secret_api_token_here'
Storing references, not secrets
Only the URI reference to the secret is ever stored and exposed in the Django admin interface and the database. The actual secret itself is never stored and is only retrieved dynamically when accessed. This approach enables secure management and access to secrets throughout your Django application, safeguarding against potential security vulnerabilities associated with direct exposure.
Documentation
Please refer to the documentation for more information.
License
django-opfield
is licensed under the MIT license. See the LICENSE
file for more information.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for django_opfield-0.1.1-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 22a5cfa5e12f991a727416636cf697ad5e357827d7a3bdc4fb4e6231537d8be7 |
|
MD5 | 2a5308586504f5ba364722381110df1a |
|
BLAKE2b-256 | 09a51de7c41b1aa70e39ee6cb1aa1f31a3b6b133831619edc2ebc33529224eea |