aws-sdk-secrets-manager 0.1.0__tar.gz

aws_sdk_secrets_manager-0.1.0/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Karen Petrosyan
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

aws_sdk_secrets_manager-0.1.0/PKG-INFO

@@ -0,0 +1,82 @@
+Metadata-Version: 2.4
+Name: aws-sdk-secrets-manager
+Version: 0.1.0
+Summary: Python SDK for AWS Secrets Manager.
+Classifier: Development Status :: 4 - Beta
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Operating System :: OS Independent
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Programming Language :: Python :: 3.14
+Classifier: Topic :: Software Development :: Code Generators
+Classifier: Typing :: Typed
+Requires-Python: >=3.10
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: zapros>=0.12.0
+Dynamic: license-file
+
+# Getting Started
+
+## Installation
+
+```
+pip install aws_sdk_secrets_manager
+```
+
+## Usage
+
+```python
+from aws_sdk_secrets_manager import AsyncSecretsManagerClient
+
+
+async def main():
+    async with AsyncSecretsManagerClient() as s3:
+        # Example: call the batch_get_secret_value operation
+        response = await s3.batch_get_secret_value()
+        print(response["secret_values"])
+```
+
+## Error Handling
+
+The SDK raises exceptions for errors returned by the API. Catch them to handle failures gracefully.
+
+```python
+from aws_sdk_secrets_manager import AsyncSecretsManagerClient
+from aws_sdk_secrets_manager.error import DecryptionFailure
+
+
+async def main():
+    async with AsyncSecretsManagerClient() as s3:
+        try:
+            await s3.batch_get_secret_value()
+        except DecryptionFailure as e:
+            print(f"Error: {e}")
+            print(e.data)  # additional error data
+```
+
+## Retrying
+
+The SDK retries failed operations automatically. Retry behaviour follows the Smithy specification: errors are retried based on their `is_retryable` and `is_throttling_error` attributes. Throttling errors use a longer base delay. Network-level failures (connection errors and timeouts) are also retried. Non-retryable errors, such as client errors without the `@retryable` trait, are raised immediately without further attempts.
+
+The number of attempts defaults to 3 and can be changed at the client level via `retry_max_attempts`, or per call via `config_overrides`.
+
+```python
+from aws_sdk_secrets_manager import AsyncSecretsManagerClient
+
+
+async def main():
+    async with AsyncSecretsManagerClient() as s3:
+        # Default: 3 attempts for every operation
+        response = await s3.batch_get_secret_value()
+
+        # Override per operation
+        response = await s3.batch_get_secret_value(config_overrides={"retry_max_attempts": 5})
+
+        # Disable retries for this call
+        response = await s3.batch_get_secret_value(config_overrides={"retry_max_attempts": 1})
+```

aws_sdk_secrets_manager-0.1.0/README.md

@@ -0,0 +1,60 @@
+# Getting Started
+
+## Installation
+
+```
+pip install aws_sdk_secrets_manager
+```
+
+## Usage
+
+```python
+from aws_sdk_secrets_manager import AsyncSecretsManagerClient
+
+
+async def main():
+    async with AsyncSecretsManagerClient() as s3:
+        # Example: call the batch_get_secret_value operation
+        response = await s3.batch_get_secret_value()
+        print(response["secret_values"])
+```
+
+## Error Handling
+
+The SDK raises exceptions for errors returned by the API. Catch them to handle failures gracefully.
+
+```python
+from aws_sdk_secrets_manager import AsyncSecretsManagerClient
+from aws_sdk_secrets_manager.error import DecryptionFailure
+
+
+async def main():
+    async with AsyncSecretsManagerClient() as s3:
+        try:
+            await s3.batch_get_secret_value()
+        except DecryptionFailure as e:
+            print(f"Error: {e}")
+            print(e.data)  # additional error data
+```
+
+## Retrying
+
+The SDK retries failed operations automatically. Retry behaviour follows the Smithy specification: errors are retried based on their `is_retryable` and `is_throttling_error` attributes. Throttling errors use a longer base delay. Network-level failures (connection errors and timeouts) are also retried. Non-retryable errors, such as client errors without the `@retryable` trait, are raised immediately without further attempts.
+
+The number of attempts defaults to 3 and can be changed at the client level via `retry_max_attempts`, or per call via `config_overrides`.
+
+```python
+from aws_sdk_secrets_manager import AsyncSecretsManagerClient
+
+
+async def main():
+    async with AsyncSecretsManagerClient() as s3:
+        # Default: 3 attempts for every operation
+        response = await s3.batch_get_secret_value()
+
+        # Override per operation
+        response = await s3.batch_get_secret_value(config_overrides={"retry_max_attempts": 5})
+
+        # Disable retries for this call
+        response = await s3.batch_get_secret_value(config_overrides={"retry_max_attempts": 1})
+```

aws_sdk_secrets_manager-0.1.0/pyproject.toml

@@ -0,0 +1,41 @@
+[project]
+name = "aws-sdk-secrets-manager"
+version = "0.1.0"
+description = "Python SDK for AWS Secrets Manager."
+readme = "README.md"
+requires-python = ">=3.10"
+classifiers = [
+    "Development Status :: 4 - Beta",
+    "Intended Audience :: Developers",
+    "License :: OSI Approved :: MIT License",
+    "Operating System :: OS Independent",
+    "Programming Language :: Python :: 3",
+    "Programming Language :: Python :: 3.10",
+    "Programming Language :: Python :: 3.11",
+    "Programming Language :: Python :: 3.12",
+    "Programming Language :: Python :: 3.13",
+    "Programming Language :: Python :: 3.14",
+    "Topic :: Software Development :: Code Generators",
+    "Typing :: Typed",
+]
+dependencies = [
+    "zapros>=0.12.0",
+]
+
+[tool.pytest.ini_options]
+pythonpath = ["src"]
+testpaths = ["tests"]
+
+[tool.pyright]
+include = ["src", "tests"]
+extraPaths = ["src"]
+pythonVersion = "3.14"
+
+[dependency-groups]
+dev = [
+    "inline-snapshot>=0.33.0",
+    "pyright>=1.1.409",
+    "pytest>=9.0.3",
+    "ruff>=0.15.14",
+    "trio",
+]

aws_sdk_secrets_manager-0.1.0/setup.cfg

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build = 
+tag_date = 0
+

aws_sdk_secrets_manager-0.1.0/src/aws_sdk_secrets_manager/__init__.py

@@ -0,0 +1,17 @@
+from __future__ import annotations
+from ._auth._identity import Identity as Identity, Credentials as Credentials
+from ._auth._providers import (
+    IdentityNotFound as IdentityNotFound,
+    IdentityProvider as IdentityProvider,
+    ChainedProvider as ChainedProvider,
+    CachedProvider as CachedProvider,
+    CredentialsProvider as CredentialsProvider,
+    StaticAwsCredentialsProvider as StaticAwsCredentialsProvider,
+    EnvCredentialsProvider as EnvCredentialsProvider,
+    ProfileCredentialsProvider as ProfileCredentialsProvider,
+)
+from ._auth._signers import Signer as Signer, SigV4Signer as SigV4Signer
+from ._services.secrets_manager import SecretsManagerClient as SecretsManagerClient
+from ._services.async_secrets_manager import (
+    AsyncSecretsManagerClient as AsyncSecretsManagerClient,
+)

aws_sdk_secrets_manager-0.1.0/src/aws_sdk_secrets_manager/_async.py

@@ -0,0 +1,25 @@
+from __future__ import annotations
+
+import asyncio
+from typing import TYPE_CHECKING
+
+if TYPE_CHECKING:
+    import trio
+else:
+    try:
+        import trio
+    except ImportError:
+        trio = None
+
+
+def in_trio_run() -> bool:
+    if trio is None:
+        return False
+    return trio.lowlevel.in_trio_run()
+
+
+async def anysleep(delay: float) -> None:
+    if in_trio_run():
+        await trio.sleep(delay)
+    else:
+        await asyncio.sleep(delay)

aws_sdk_secrets_manager-0.1.0/src/aws_sdk_secrets_manager/_auth/_identity.py

@@ -0,0 +1,15 @@
+from __future__ import annotations
+
+from datetime import datetime
+from typing import TypedDict
+from typing_extensions import NotRequired
+
+
+class Identity(TypedDict):
+    expiration: NotRequired[datetime | None]
+
+
+class Credentials(Identity):
+    access_key: str
+    secret_key: str
+    session_token: NotRequired[str | None]

aws_sdk_secrets_manager-0.1.0/src/aws_sdk_secrets_manager/_auth/_providers.py

@@ -0,0 +1,159 @@
+from __future__ import annotations
+
+import configparser
+import os
+from abc import abstractmethod
+from datetime import datetime, timezone
+from pathlib import Path
+from typing import Generic, TypeVar
+
+from aws_sdk_secrets_manager._auth._identity import (
+    Credentials,
+    Identity,
+)
+
+
+class IdentityNotFound(Exception):
+    """Raised when a provider cannot resolve an identity. Chain continues."""
+
+
+IdentityT = TypeVar("IdentityT", bound="Identity")
+
+
+class IdentityProvider(Generic[IdentityT]):
+    @abstractmethod
+    def resolve_identity(self) -> IdentityT:
+        raise NotImplementedError
+
+
+class ChainedProvider(IdentityProvider[IdentityT]):
+    """Try each provider in order; first non-`IdentityNotFound` wins."""
+
+    def __init__(self, *providers: IdentityProvider[IdentityT]) -> None:
+        if not providers:
+            raise ValueError("ChainedProvider requires at least one provider")
+        self._providers = providers
+
+    def resolve_identity(self) -> IdentityT:
+        errors: list[str] = []
+        for p in self._providers:
+            try:
+                return p.resolve_identity()
+            except IdentityNotFound as e:
+                errors.append(f"{type(p).__name__}: {e}")
+        raise IdentityNotFound("no provider succeeded: " + "; ".join(errors))
+
+
+class CachedProvider(IdentityProvider[IdentityT]):
+    """Cache an identity until its `expiration` (minus skew) elapses."""
+
+    _SKEW_SECONDS = 60
+
+    def __init__(self, inner: IdentityProvider[IdentityT]) -> None:
+        self._inner = inner
+        self._cached: IdentityT | None = None
+
+    def resolve_identity(self) -> IdentityT:
+        if self._cached is not None and not self._expired(self._cached):
+            return self._cached
+        self._cached = self._inner.resolve_identity()
+        return self._cached
+
+    @classmethod
+    def _expired(cls, ident: Identity) -> bool:
+        exp = ident.get("expiration")
+        if exp is None:
+            return False
+        return (exp - datetime.now(timezone.utc)).total_seconds() <= cls._SKEW_SECONDS
+
+
+class CredentialsProvider(IdentityProvider[Credentials]):
+    """Base class for providers that resolve AWS `Credentials`."""
+
+    @abstractmethod
+    def resolve_identity(self) -> Credentials:
+        raise NotImplementedError
+
+
+class StaticAwsCredentialsProvider(CredentialsProvider):
+    def __init__(self, credentials: Credentials) -> None:
+        self._credentials = credentials
+
+    def resolve_identity(self) -> Credentials:
+        return self._credentials
+
+
+class EnvCredentialsProvider(CredentialsProvider):
+    """Read AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY / AWS_SESSION_TOKEN."""
+
+    def resolve_identity(self) -> Credentials:
+        ak = os.environ.get("AWS_ACCESS_KEY_ID")
+        sk = os.environ.get("AWS_SECRET_ACCESS_KEY")
+        if not ak or not sk:
+            raise IdentityNotFound("AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY unset")
+        out: Credentials = {"access_key": ak, "secret_key": sk}
+        token = os.environ.get("AWS_SESSION_TOKEN")
+        if token:
+            out["session_token"] = token
+        return out
+
+
+class ProfileCredentialsProvider(CredentialsProvider):
+    """Read ~/.aws/credentials and ~/.aws/config for the active profile."""
+
+    def __init__(
+        self,
+        profile: str | None = None,
+        credentials_file: Path | None = None,
+        config_file: Path | None = None,
+    ) -> None:
+        self._profile = profile or os.environ.get("AWS_PROFILE", "default")
+        self._cred_file = credentials_file or Path(
+            os.environ.get("AWS_SHARED_CREDENTIALS_FILE")
+            or Path.home() / ".aws" / "credentials"
+        )
+        self._cfg_file = config_file or Path(
+            os.environ.get("AWS_CONFIG_FILE") or Path.home() / ".aws" / "config"
+        )
+
+    def resolve_identity(self) -> Credentials:
+        section = self._load_profile()
+        ak = section.get("aws_access_key_id")
+        sk = section.get("aws_secret_access_key")
+        if not ak or not sk:
+            raise IdentityNotFound(
+                f"profile {self._profile!r}: missing aws_access_key_id/aws_secret_access_key"
+            )
+        out: Credentials = {"access_key": ak, "secret_key": sk}
+        token = section.get("aws_session_token")
+        if token:
+            out["session_token"] = token
+        return out
+
+    def _load_profile(self) -> dict[str, str]:
+        merged: dict[str, str] = {}
+        if self._cfg_file.is_file():
+            cfg = configparser.ConfigParser()
+            cfg.read(self._cfg_file)
+            # config file profiles look like `[profile foo]`, except default
+            key = (
+                "default" if self._profile == "default" else f"profile {self._profile}"
+            )
+            if cfg.has_section(key):
+                merged.update(dict(cfg.items(key)))
+        if self._cred_file.is_file():
+            cfg = configparser.ConfigParser()
+            cfg.read(self._cred_file)
+            if cfg.has_section(self._profile):
+                merged.update(dict(cfg.items(self._profile)))
+        if not merged:
+            raise IdentityNotFound(
+                f"profile {self._profile!r} not found in {self._cred_file} or {self._cfg_file}"
+            )
+        return merged
+
+
+def default_aws_credentials_chain() -> IdentityProvider[Credentials]:
+    return CachedProvider(
+        ChainedProvider(EnvCredentialsProvider(), ProfileCredentialsProvider())
+    )

aws_sdk_secrets_manager-0.1.0/src/aws_sdk_secrets_manager/_auth/_signers.py

@@ -0,0 +1,83 @@
+from __future__ import annotations
+
+from abc import ABC, abstractmethod
+from typing import Generic, TypeVar
+from typing import Any
+from zapros import Request
+from aws_sdk_secrets_manager._auth._sigv4 import SigV4AuthContext, sign_sigv4
+from aws_sdk_secrets_manager._auth._identity import Credentials, Identity
+from aws_sdk_secrets_manager._auth._providers import IdentityProvider
+
+IdentityT = TypeVar("IdentityT", bound="Identity")
+
+
+class Signer(ABC, Generic[IdentityT]):
+    """Per-request request signer. Holds an IdentityProvider plus static config."""
+
+    def __init__(self, provider: IdentityProvider[IdentityT]) -> None:
+        self.provider = provider
+
+    @abstractmethod
+    async def asign(self, req: Request) -> Request: ...
+    @abstractmethod
+    def sign(self, req: Request) -> Request: ...
+
+
+class SigV4Signer(Signer[Credentials]):
+    """aws.auth#sigv4 — AWS Signature Version 4.
+
+    The full auth scheme (``name`` variant, ``signingName``, ``signingRegion``,
+    encoding/normalization flags) is provided by the caller — either from the
+    endpoint rule-set's ``authSchemes`` property or built by the generated
+    ``get_signer`` from operation defaults.
+    """
+
+    def __init__(
+        self, provider: IdentityProvider[Credentials], *, auth_scheme: dict[str, Any]
+    ) -> None:
+        super().__init__(provider)
+        self._auth_scheme = auth_scheme
+
+    async def asign(self, req: Request) -> Request:
+        creds = self.provider.resolve_identity()
+        ctx: SigV4AuthContext = {
+            "type": "sig_v4",
+            "access_key_id": creds["access_key"],
+            "secret_access_key": creds["secret_key"],
+            "session_token": creds.get("session_token"),
+            "signing_region": self._auth_scheme["signingRegion"],
+            "signing_name": self._auth_scheme["signingName"],
+        }
+        if req.body is None:
+            body: bytes | None = b""
+        elif isinstance(req.body, bytes):
+            body = req.body
+        else:
+            body = None
+        # Strip Accept-Encoding so transports/intermediaries can't transcode
+        # the response and so the value never enters the canonical request.
+        if "accept-encoding" in req.headers:
+            del req.headers["Accept-Encoding"]
+        return sign_sigv4(req, ctx, body)
+
+    def sign(self, req: Request) -> Request:
+        creds = self.provider.resolve_identity()
+        ctx: SigV4AuthContext = {
+            "type": "sig_v4",
+            "access_key_id": creds["access_key"],
+            "secret_access_key": creds["secret_key"],
+            "session_token": creds.get("session_token"),
+            "signing_region": self._auth_scheme["signingRegion"],
+            "signing_name": self._auth_scheme["signingName"],
+        }
+        if req.body is None:
+            body: bytes | None = b""
+        elif isinstance(req.body, bytes):
+            body = req.body
+        else:
+            body = None
+        # Strip Accept-Encoding so transports/intermediaries can't transcode
+        # the response and so the value never enters the canonical request.
+        if "accept-encoding" in req.headers:
+            del req.headers["Accept-Encoding"]
+        return sign_sigv4(req, ctx, body)