.. image:: https://github.com/razorpay/alohomora/actions/workflows/ci.yml/badge.svg :target: https://github.com/razorpay/alohomora/actions/workflows/ci.yml
Razorpay's Secret Credential management system.
alohomora is distributed via PyPi:
.. code:: shell
pip install razorpay.alohomora
Alohomora is an opinionated project that relies on our conventions to intelligently fetch secrets at run-time.
We don't do our own crypto. We rely on these libraries instead:
This is how the template file looks in our app repository:
.. code::
# {{ alohomora_managed }}
DB_PASSWORD = {{ lookup('db_password') }}
APP_ENV = {{ env }}
ENV_DEBUG = {{ ENV['DEBUG'] }}
APP_NAME = {{ app }}
This repo runs directly on the same template and generates the equivalent file as the output.
The steps it follows are the following:
credstash-env-app
table structure in dynamoDB.Alohomora expects the secrets for any application to be stored in a
table called credstash-{env}-{app}
. The IAM roles for this table
must be configured by you. Once you try to render a template, alohomora
will do the following:
env
,app
, and ENV
variables.ENV
is same as os.environ
inside the jinja template.
Alohomora is designed to be a zero-config solution.
We perform a few transforms on the arguments that are passed:
app
and env
to lowercaseproduction
with prod
in the env
name-
in the environment. So beta-birdie
becomes beta
Please see the wiki regarding alohomora binary usage.
alohomora
is released under the same license as credstash.