baschno/buun-stack
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2a61b8e1ad7cf99dc9ec7babcf41a809b4c25ac3
buun-stack/python-package/README.md
Masaki Yatsu d233373219 feat(jupyterhub): vault token w/o keycloak auth
2025-09-03 10:11:06 +09:00

3.3 KiB
Raw Blame History

buunstack

A Python package for buun-stack that provides secure secrets management with HashiCorp Vault using pre-acquired Vault tokens from JupyterHub for seamless authentication.

Features

  • 🔒 Secure Secrets Management: Integration with HashiCorp Vault
  • 🚀 Pre-acquired Authentication: Uses Vault tokens created at notebook spawn
  • 📱 Simple API: Easy-to-use interface for secrets storage and retrieval
  • 🔄 Automatic Token Renewal: Built-in token refresh for long-running sessions
  • 🏢 Enterprise Ready: Built for production environments

Quick Start

Installation

pip install buunstack

Basic Usage

from buunstack import SecretStore

# Initialize with pre-acquired Vault token (automatic)
secrets = SecretStore()

# Put API keys and configuration
secrets.put('api-keys',
    openai_key='sk-your-key-here',
    github_token='ghp_your-token',
    database_url='postgresql://user:pass@host:5432/db'
)

# Get secrets
api_keys = secrets.get('api-keys')
openai_key = api_keys['openai_key']

# List all your secrets
all_secrets = secrets.list()

Configuration Options

# Disable JupyterHub token synchronization
secrets = SecretStore(sync_with_jupyterhub=False)

# Custom token validity buffer
secrets = SecretStore(
    sync_with_jupyterhub=True,
    refresh_buffer_seconds=600  # Sync tokens 10 minutes before expiry
)

# Check synchronization status
status = secrets.get_status()
print(f"JupyterHub sync enabled: {status['sync_with_jupyterhub']}")
print(f"API configured: {status.get('jupyterhub_api_configured', False)}")

Environment Variables Helper

from buunstack import SecretStore, get_env_from_secrets, put_env_to_secrets

secrets = SecretStore()

# Put environment variables
project_env = {
    'PROJECT_NAME': 'ml-research',
    'MODEL_VERSION': 'v2.1',
    'DEBUG': 'false'
}
put_env_to_secrets(secrets, project_env)

# Get environment variables
loaded_vars = get_env_from_secrets(secrets)
# Now available as os.environ['PROJECT_NAME'], etc.

Comparison with Other Platforms

Platform API Features
Google Colab userdata.get('KEY') Simple, strings only
Databricks dbutils.secrets.get(scope, key) Scoped management
AWS SageMaker boto3.client().get_secret_value() JSON support, IAM control
Azure ML SecretClient().get_secret() RBAC, HSM support
buunstack secrets.get('key') JSON support, unlimited sessions, auto-refresh

Requirements

  • Python 3.8+
  • JupyterHub environment with Keycloak OIDC authentication
  • HashiCorp Vault backend
  • Required environment variables:
    • JUPYTERHUB_USER
    • VAULT_ADDR
    • JUPYTERHUB_OIDC_ACCESS_TOKEN
    • JUPYTERHUB_OIDC_REFRESH_TOKEN (for auto-refresh)
    • KEYCLOAK_HOST, KEYCLOAK_REALM (for auto-refresh)

Architecture

buunstack integrates with:

  • JupyterHub: For user authentication and session management
  • Keycloak: For OIDC token management and refresh
  • HashiCorp Vault: For secure secrets storage
  • Kubernetes: For container orchestration and networking

License

This project is licensed under the MIT License - see the LICENSE file for details.

Security

For security issues, please email security@buunstack.dev instead of using the issue tracker.