candidco
confidential
Python

๐Ÿคซ Easily manage configs and secrets in your Python projects (with CLI support)

Last updated Apr 23, 2026
79
Stars
7
Forks
2
Issues
0
Stars/day
Attention Score
16
Language breakdown
Python 100.0%
โ–ธ Files click to expand
README

confidential

badge

Installation

pip install confidential

How does it work?

Confidential manages secrets for your project, using AWS Secrets Manager and SSM Parameter Store.

First, store a secret in AWS Secrets Manager. Then, create a secrets file, say my_secrets.json. A value will be decrypted if the word secret precedes it, like the database value below:

{
  "database": "secret:database_details",
  "environment": "production",
  "debug_mode": false
}

Similarly, SSM Parameters can be referenced by providing a parameter key, e.g.: "ssm:somessmparameter_key". You can decrypt this file either in Python, or directly using the CLI. Ensure AWS CLI is set up, then run:

confidential my_secrets.json

which outputs the file with decrypted values

{   "database": {     "url": "https://example.com",     "username": "admin",     "password": "p@55w0rd",     "port": 5678   },   "environment": "production",   "debug_mode": false }

image

Can I use it in my Python projects?

Yes, simply import and instantiate SecretsManager, like so:

settings.py

from confidential import SecretsManager

secrets = SecretManager( secrets_file=".secrets/production.json", secretsfiledefault=".secrets/defaults.json", # Overridable defaults you can use in common environments regi, )

DATABASES = { 'default': secrets["database"] }

If exportenvvariables is set to True, each secret will also be exported as an environment variable, with the uppercase key as the variable name, e.g.:

from confidential import SecretsManager
import os

secrets = SecretManager( secrets_file=".secrets/production.json", secretsfiledefault=".secrets/defaults.json", # Overridable defaults you can use in common environments regi, exportenvvariables=True, # Optionally, export secrets as environment variables. Default is False. )

If the key of a secret is api_key, then the following is true:

assert secrets["apikey"] == os.environ.get("APIKEY")

Trying to access an inexisting key returns None. On previous versions, it would throw an exception.

Testing

First, install all dependencies:

poetry install

Then run the tests

poetry run pytest

๐Ÿ”— More in this category

ยฉ 2026 GitRepoTrend ยท candidco/confidential ยท Updated daily from GitHub