dataflow-core 2.1.6__py3-none-any.whl → 2.1.8__py3-none-any.whl

dataflow/secrets_manager/factory.py

@@ -0,0 +1,59 @@
+# secrets_manager/factory.py
+import os
+from .interface import SecretManager
+from .providers.aws_manager import AWSSecretsManager
+from .providers.azure_manager import AzureKeyVault
+from ..configuration import ConfigurationManager
+
+# A custom exception for clear error messages
+class SecretProviderError(Exception):
+    pass
+
+def get_secret_manager() -> SecretManager:
+    """
+    Factory function to get the configured secret manager instance.
+
+    Reads the cloud provider configuration from dataflow_auth.cfg
+    to determine which cloud provider's secret manager to instantiate.
+    """
+    try:
+        # dataflow_config = None
+        # if os.getenv('HOSTNAME'):
+        #     dataflow_config = ConfigurationManager('/dataflow/app/auth_config/dataflow_auth.cfg')
+        # else:
+        dataflow_config = ConfigurationManager('/dataflow/app/config/dataflow.cfg')
+    except Exception as e:
+        raise SecretProviderError(
+            f"Failed to read cloud provider configuration: {str(e)}. "
+            "Please check that the configuration file exists and contains the 'cloud' section."
+        )
+
+    provider = dataflow_config.get_config_value('cloudProvider', 'cloud')
+    if not provider:
+        raise SecretProviderError(
+            "The cloud provider is not configured in config file. "
+            "Please set the 'cloud' value in the 'cloud' section to 'aws' or 'azure'."
+        )
+
+    provider = provider.lower()
+    print(f"Initializing secret manager for provider: {provider}")
+
+    if provider == "aws":
+        return AWSSecretsManager()
+
+    elif provider == "azure":
+        vault_url = dataflow_config.get_config_value('cloudProvider', 'key_vault')
+        if not vault_url:
+            raise SecretProviderError(
+                "AZURE_VAULT_URL must be set when using the Azure provider."
+            )
+        return AzureKeyVault(vault_url=vault_url)
+
+    # You can easily add more providers here in the future
+    # elif provider == "gcp":
+    #     return GCPSecretManager()
+
+    else:
+        raise SecretProviderError(
+            f"Unsupported secret provider: '{provider}'. Supported providers are: aws, azure."
+        )

dataflow/secrets_manager/interface.py

@@ -0,0 +1,22 @@
+from abc import ABC, abstractmethod
+
+class SecretManager(ABC):
+    @abstractmethod
+    def create_secret(self, vault_path: str, secret_data: dict) -> str:
+        pass
+
+    @abstractmethod
+    def get_secret_by_key(self, vault_path: str):
+        pass
+
+    @abstractmethod
+    def update_secret(self, vault_path: str, update_data):
+        pass
+
+    @abstractmethod
+    def delete_secret(self, vault_path: str):
+        pass
+
+    @abstractmethod
+    def test_connection(self, vault_path: str):
+        pass

dataflow/secrets_manager/providers/aws_manager.py

@@ -0,0 +1,164 @@
+
+import boto3
+import json
+from botocore.exceptions import BotoCoreError, ClientError, EndpointConnectionError, NoCredentialsError
+from ..interface import SecretManager
+from ...utils.exceptions import (
+    SecretNotFoundException,
+    SecretAlreadyExistsException,
+    SecretManagerAuthException,
+    SecretManagerServiceException
+)
+
+class AWSSecretsManager(SecretManager):
+    def __init__(self):
+        try:
+            self.client = boto3.client('secretsmanager')
+        except EndpointConnectionError as e:
+            raise SecretManagerServiceException("initialize_aws_client", original_error=str(e))
+        except NoCredentialsError as e:
+            raise SecretManagerAuthException("initialize_aws_client", original_error=str(e))
+        except Exception as e:
+            raise SecretManagerServiceException("initialize_aws_client", original_error=str(e))
+
+    def create_secret(self, vault_path: str, secret_data: dict) -> str:
+        try:
+            # Convert dictionary to JSON string before saving
+            secret_string = json.dumps(secret_data)
+            
+            self.client.create_secret(
+                Name=vault_path,
+                SecretString=secret_string,
+                Description=secret_data.get("description", "Created by AWSSecretsManager")
+            )
+            return "Secret created successfully"
+        except ClientError as e:
+            error_code = e.response['Error']['Code']
+            error_message = e.response['Error']['Message']
+            
+            if error_code == 'ResourceExistsException':
+                raise SecretAlreadyExistsException("secret", vault_path, original_error=str(e))
+            elif error_code == 'InvalidRequestException' and 'scheduled for deletion' in error_message:
+                # Special case for secrets in recovery period
+                raise SecretAlreadyExistsException("secret", vault_path, original_error=str(e), is_scheduled_for_deletion=True)
+            elif error_code in ['AccessDeniedException', 'UnauthorizedOperation', 'UnrecognizedClientException']:
+                raise SecretManagerAuthException("create_secret", original_error=str(e))
+            elif error_code in ['InvalidRequestException', 'LimitExceededException']:
+                raise SecretManagerServiceException("create_secret", original_error=str(e))
+            elif error_code == 'InternalServiceErrorException':
+                raise SecretManagerServiceException("create_secret", original_error=str(e))
+            else:
+                raise SecretManagerServiceException("create_secret", original_error=str(e))
+        except BotoCoreError as e:
+            raise SecretManagerServiceException("create_secret", original_error=str(e))
+        except Exception as e:
+            raise SecretManagerServiceException("create_secret", original_error=str(e))
+
+    def get_secret_by_key(self, vault_path: str) -> dict:
+        try:
+            response = self.client.get_secret_value(SecretId=vault_path)
+            secret_string = response.get('SecretString')
+            
+            # Convert JSON string back to dictionary before returning
+            secret_data = json.loads(secret_string)
+            return secret_data
+        except ClientError as e:
+            error_code = e.response['Error']['Code']
+            if error_code == 'ResourceNotFoundException':
+                raise SecretNotFoundException("secret", vault_path, original_error=str(e))
+            elif error_code in ['AccessDeniedException', 'UnauthorizedOperation', 'UnrecognizedClientException']:
+                raise SecretManagerAuthException("get_secret", original_error=str(e))
+            elif error_code in ['InvalidRequestException', 'DecryptionFailureException']:
+                raise SecretManagerServiceException("get_secret", original_error=str(e))
+            elif error_code == 'InternalServiceErrorException':
+                raise SecretManagerServiceException("get_secret", original_error=str(e))
+            else:
+                raise SecretManagerServiceException("get_secret", original_error=str(e))
+        except json.JSONDecodeError as e:
+            raise SecretManagerServiceException("get_secret", original_error=str(e))
+        except BotoCoreError as e:
+            raise SecretManagerServiceException("get_secret", original_error=str(e))
+        except Exception as e:
+            raise SecretManagerServiceException("get_secret", original_error=str(e))
+
+    def update_secret(self, vault_path: str, update_data: dict) -> str:
+        try:
+            # Get current secret data
+            current = self.client.get_secret_value(SecretId=vault_path)
+            current_string = current['SecretString']
+            
+            # Convert current JSON string to dictionary
+            current_data = json.loads(current_string)
+            
+            # Update with new data
+            current_data.update(update_data)
+            
+            # Convert updated dictionary back to JSON string
+            updated_string = json.dumps(current_data)
+            
+            self.client.update_secret(
+                SecretId=vault_path,
+                SecretString=updated_string,
+                Description=current_data.get('description', '')
+            )
+            return "Secret updated successfully"
+        except ClientError as e:
+            error_code = e.response['Error']['Code']
+            if error_code == 'ResourceNotFoundException':
+                raise SecretNotFoundException("secret", vault_path, original_error=str(e))
+            elif error_code in ['AccessDeniedException', 'UnauthorizedOperation', 'UnrecognizedClientException']:
+                raise SecretManagerAuthException("update_secret", original_error=str(e))
+            elif error_code in ['InvalidRequestException', 'DecryptionFailureException']:
+                raise SecretManagerServiceException("update_secret", original_error=str(e))
+            elif error_code == 'InternalServiceErrorException':
+                raise SecretManagerServiceException("update_secret", original_error=str(e))
+            else:
+                raise SecretManagerServiceException("update_secret", original_error=str(e))
+        except json.JSONDecodeError as e:
+            raise SecretManagerServiceException("update_secret", original_error=str(e))
+        except BotoCoreError as e:
+            raise SecretManagerServiceException("update_secret", original_error=str(e))
+        except Exception as e:
+            raise SecretManagerServiceException("update_secret", original_error=str(e))
+
+    def delete_secret(self, vault_path: str) -> str:
+        try:
+            if "git-ssh" in vault_path:
+                self.client.delete_secret(
+                    SecretId=vault_path,
+                    ForceDeleteWithoutRecovery=True
+                )
+            else:
+                self.client.delete_secret(
+                    SecretId=vault_path,
+                    RecoveryWindowInDays=7
+                )
+            return "Secret deleted successfully"
+        except ClientError as e:
+            error_code = e.response['Error']['Code']
+            if error_code == 'ResourceNotFoundException':
+                raise SecretNotFoundException("secret", vault_path, original_error=str(e))
+            elif error_code in ['AccessDeniedException', 'UnauthorizedOperation', 'UnrecognizedClientException']:
+                raise SecretManagerAuthException("delete_secret", original_error=str(e))
+            elif error_code == 'InvalidRequestException':
+                # Can occur if secret is already scheduled for deletion or in invalid state
+                raise SecretManagerServiceException("delete_secret", original_error=str(e))
+            elif error_code == 'InternalServiceErrorException':
+                raise SecretManagerServiceException("delete_secret", original_error=str(e))
+            else:
+                raise SecretManagerServiceException("delete_secret", original_error=str(e))
+        except BotoCoreError as e:
+            raise SecretManagerServiceException("delete_secret", original_error=str(e))
+        except Exception as e:
+            raise SecretManagerServiceException("delete_secret", original_error=str(e))
+
+    def test_connection(self, vault_path: str) -> str:
+        try:
+            secret = self.get_secret_by_key(vault_path)
+            return secret.get('status', 'Unknown')
+        except SecretNotFoundException:
+            raise
+        except (SecretManagerAuthException, SecretManagerServiceException):
+            raise
+        except Exception as e:
+            raise SecretManagerServiceException("test_connection", original_error=str(e))

dataflow/secrets_manager/providers/azure_manager.py

@@ -0,0 +1,185 @@
+
+from azure.keyvault.secrets import SecretClient
+from azure.identity import DefaultAzureCredential
+from azure.core.exceptions import (
+    ResourceNotFoundError,
+    ResourceExistsError,
+    HttpResponseError,
+    ClientAuthenticationError,
+    ServiceRequestError
+)
+from ..interface import SecretManager
+from ...utils.exceptions import (
+    SecretNotFoundException,
+    SecretAlreadyExistsException,
+    SecretManagerAuthException,
+    SecretManagerServiceException
+)
+import json
+
+class AzureKeyVault(SecretManager):
+    def __init__(self, vault_url: str):
+        try:
+            credential = DefaultAzureCredential(additionally_allowed_tenants=["*"])
+            self.client = SecretClient(vault_url=vault_url, credential=credential)
+        except ClientAuthenticationError as e:
+            raise SecretManagerAuthException("initialize_azure_client", original_error=str(e))
+        except ServiceRequestError as e:
+            raise SecretManagerServiceException("initialize_azure_client", original_error=str(e))
+        except Exception as e:
+            raise SecretManagerServiceException("initialize_azure_client", original_error=str(e))
+
+    def create_secret(self, vault_path: str, secret_data: dict) -> str:
+        try:
+            # Convert dictionary to JSON string before saving
+            secret_string = json.dumps(secret_data)
+            
+            self.client.set_secret(
+                name=vault_path,
+                value=secret_string,
+                content_type="application/json",
+                tags={"description": secret_data.get("description", "Created by AzureKeyVault")}
+            )
+            return "Secret created successfully"
+        except ResourceExistsError as e:
+            raise SecretAlreadyExistsException("secret", vault_path, original_error=str(e))
+        except ClientAuthenticationError as e:
+            raise SecretManagerAuthException("create_secret", original_error=str(e))
+        except HttpResponseError as e:
+            if e.status_code == 403:
+                raise SecretManagerAuthException("create_secret", original_error=str(e))
+            elif e.status_code == 409:
+                # Check if it's a scheduled deletion case
+                if "deleted but not purged" in str(e) or "being recovered" in str(e):
+                    raise SecretAlreadyExistsException("secret", vault_path, original_error=str(e), is_scheduled_for_deletion=True)
+                else:
+                    raise SecretAlreadyExistsException("secret", vault_path, original_error=str(e))
+            elif e.status_code == 429:
+                raise SecretManagerServiceException("create_secret", original_error=str(e))
+            elif e.status_code >= 500:
+                raise SecretManagerServiceException("create_secret", original_error=str(e))
+            else:
+                raise SecretManagerServiceException("create_secret", original_error=str(e))
+        except ServiceRequestError as e:
+            raise SecretManagerServiceException("create_secret", original_error=str(e))
+        except Exception as e:
+            raise SecretManagerServiceException("create_secret", original_error=str(e))
+
+    def get_secret_by_key(self, vault_path: str) -> dict:
+        try:
+            secret = self.client.get_secret(vault_path)
+            secret_string = secret.value
+            
+            # Convert JSON string back to dictionary before returning
+            secret_data = json.loads(secret_string)
+            return secret_data
+        except ResourceNotFoundError as e:
+            raise SecretNotFoundException("secret", vault_path, original_error=str(e))
+        except ClientAuthenticationError as e:
+            raise SecretManagerAuthException("get_secret", original_error=str(e))
+        except HttpResponseError as e:
+            if e.status_code == 403:
+                raise SecretManagerAuthException("get_secret", original_error=str(e))
+            elif e.status_code == 404:
+                raise SecretNotFoundException("secret", vault_path, original_error=str(e))
+            elif e.status_code >= 500:
+                raise SecretManagerServiceException("get_secret", original_error=str(e))
+            else:
+                raise SecretManagerServiceException("get_secret", original_error=str(e))
+        except json.JSONDecodeError as e:
+            raise SecretManagerServiceException("get_secret", original_error=str(e))
+        except ServiceRequestError as e:
+            raise SecretManagerServiceException("get_secret", original_error=str(e))
+        except Exception as e:
+            raise SecretManagerServiceException("get_secret", original_error=str(e))
+
+    def update_secret(self, vault_path: str, update_data: dict) -> str:
+        try:
+            # Get current secret data
+            current_secret = self.client.get_secret(vault_path)
+            current_string = current_secret.value
+            
+            # Convert current JSON string to dictionary
+            current_data = json.loads(current_string)
+            
+            # Update with new data
+            current_data.update(update_data)
+            
+            # Convert updated dictionary back to JSON string
+            updated_string = json.dumps(current_data)
+            
+            self.client.set_secret(
+                name=vault_path,
+                value=updated_string,
+                content_type="application/json",
+                tags={"description": current_data.get("description", "")}
+            )
+            return "Secret updated successfully"
+        except ResourceNotFoundError as e:
+            raise SecretNotFoundException("secret", vault_path, original_error=str(e))
+        except ClientAuthenticationError as e:
+            raise SecretManagerAuthException("update_secret", original_error=str(e))
+        except HttpResponseError as e:
+            if e.status_code == 403:
+                raise SecretManagerAuthException("update_secret", original_error=str(e))
+            elif e.status_code == 404:
+                raise SecretNotFoundException("secret", vault_path, original_error=str(e))
+            elif e.status_code >= 500:
+                raise SecretManagerServiceException("update_secret", original_error=str(e))
+            else:
+                raise SecretManagerServiceException("update_secret", original_error=str(e))
+        except json.JSONDecodeError as e:
+            raise SecretManagerServiceException("update_secret", original_error=str(e))
+        except ServiceRequestError as e:
+            raise SecretManagerServiceException("update_secret", original_error=str(e))
+        except Exception as e:
+            raise SecretManagerServiceException("update_secret", original_error=str(e))
+
+    def delete_secret(self, vault_path: str) -> str:
+        try:
+            if "git-ssh" in vault_path:
+                # For SSH keys, try to purge immediately after deletion
+                delete_poller = self.client.begin_delete_secret(vault_path)
+                delete_poller.wait()  # Wait for deletion to complete
+                try:
+                    # Try to purge immediately (only works if soft-delete is enabled and allows purging)
+                    self.client.purge_deleted_secret(vault_path)
+                except (ResourceNotFoundError, HttpResponseError):
+                    # Purge may fail if soft-delete is disabled or purging is not allowed - that's ok
+                    pass
+            else:
+                # For other secrets, just delete (respects soft-delete settings)
+                delete_poller = self.client.begin_delete_secret(vault_path)
+                delete_poller.wait()  # Wait for deletion to complete
+            return "Secret deleted successfully"
+        except ResourceNotFoundError as e:
+            raise SecretNotFoundException("secret", vault_path, original_error=str(e))
+        except ClientAuthenticationError as e:
+            raise SecretManagerAuthException("delete_secret", original_error=str(e))
+        except HttpResponseError as e:
+            if e.status_code == 403:
+                raise SecretManagerAuthException("delete_secret", original_error=str(e))
+            elif e.status_code == 404:
+                raise SecretNotFoundException("secret", vault_path, original_error=str(e))
+            elif e.status_code == 409:
+                # Can occur if secret is already being deleted or in invalid state
+                raise SecretManagerServiceException("delete_secret", original_error=str(e))
+            elif e.status_code >= 500:
+                raise SecretManagerServiceException("delete_secret", original_error=str(e))
+            else:
+                raise SecretManagerServiceException("delete_secret", original_error=str(e))
+        except ServiceRequestError as e:
+            raise SecretManagerServiceException("delete_secret", original_error=str(e))
+        except Exception as e:
+            raise SecretManagerServiceException("delete_secret", original_error=str(e))
+
+    def test_connection(self, vault_path: str) -> str:
+        try:
+            secret = self.get_secret_by_key(vault_path)
+            return secret.get('status', 'Unknown')
+        except SecretNotFoundException:
+            raise
+        except (SecretManagerAuthException, SecretManagerServiceException):
+            raise
+        except Exception as e:
+            raise SecretManagerServiceException("test_connection", original_error=str(e))

dataflow/secrets_manager/service.py

@@ -0,0 +1,156 @@
+from .interface import SecretManager
+from ..schemas.connection import ConnectionSave, ConnectionUpdate, ConnectionRead
+from ..schemas.secret import SecretSave, SecretUpdate, SecretRead
+from ..schemas.git_ssh import SSHSave, SSHRead
+from abc import ABC, abstractmethod
+from typing import List
+
+# --------------------------------------------------------------------------
+# BASE ACCESSOR
+# This contains all the methods for CRUD operations on secrets, connections, and SSH keys.
+# --------------------------------------------------------------------------
+class _BaseAccessor(ABC):
+    def __init__(self, secret_manager: SecretManager):
+        self.secret_manager = secret_manager
+
+    @abstractmethod
+    def _get_vault_path(self, secret_type: str, key: str) -> str:
+        """This must be implemented by each specific context."""
+        pass
+
+    # --------------------------------------------------------------------------
+    # CONNECTION CRUD OPERATIONS
+    # --------------------------------------------------------------------------
+    def create_connection(self, connection_data: ConnectionSave) -> str:
+        """Create a new connection."""
+        vault_path = self._get_vault_path("connections", connection_data.conn_id)
+        # Convert schema to dict and then to JSON string for storage
+        connection_dict = connection_data.model_dump()
+        return self.secret_manager.create_secret(vault_path, connection_dict)
+
+    def get_connection(self, key: str) -> ConnectionRead:
+        """Get a connection by key."""
+        vault_path = self._get_vault_path("connections", key)
+        raw_data = self.secret_manager.get_secret_by_key(vault_path)
+        # Convert stored dict back to schema
+        return ConnectionRead(**raw_data)
+
+    def update_connection(self, key: str, connection_data: ConnectionUpdate) -> str:
+        """Update an existing connection."""
+        vault_path = self._get_vault_path("connections", key)
+        
+        # First, get the existing connection data
+        existing_data: dict = self.secret_manager.get_secret_by_key(vault_path)
+        
+        # Convert update schema to dict, only include non-None values
+        update_dict: dict = connection_data.model_dump(exclude_none=True)
+
+        # Merge existing data with update data
+        existing_data.update(update_dict)
+        
+        # Send the complete merged data back to storage
+        return self.secret_manager.update_secret(vault_path, existing_data)
+
+    def delete_connection(self, key: str) -> str:
+        """Delete a connection."""
+        vault_path = self._get_vault_path("connections", key)
+        return self.secret_manager.delete_secret(vault_path)
+
+    def test_connection(self, key: str):
+        """Test a connection."""
+        vault_path = self._get_vault_path("connections", key)
+        return self.secret_manager.test_connection(vault_path)
+
+    # --------------------------------------------------------------------------
+    # SSH CRUD OPERATIONS
+    # --------------------------------------------------------------------------
+    def create_ssh(self, ssh_data: SSHSave) -> str:
+        """Create a new SSH key."""
+        vault_path = self._get_vault_path("git-ssh", ssh_data.key_name)
+        # Convert schema to dict for storage
+        ssh_dict = ssh_data.model_dump()
+        return self.secret_manager.create_secret(vault_path, ssh_dict)
+
+    def get_ssh(self, key: str) -> SSHRead:
+        """Get an SSH key by key."""
+        vault_path = self._get_vault_path("git-ssh", key)
+        raw_data = self.secret_manager.get_secret_by_key(vault_path)
+        # Convert stored dict back to schema
+        return SSHRead(**raw_data)
+
+    def delete_ssh(self, key: str) -> str:
+        """Delete an SSH key."""
+        vault_path = self._get_vault_path("git-ssh", key)
+        return self.secret_manager.delete_secret(vault_path)
+
+    # --------------------------------------------------------------------------
+    # SECRET CRUD OPERATIONS
+    # --------------------------------------------------------------------------
+    def create_secret(self, secret_data: SecretSave) -> str:
+        """Create a new secret."""
+        vault_path = self._get_vault_path("secrets", secret_data.key)
+        # Convert schema to dict for storage
+        secret_dict = secret_data.model_dump()
+        return self.secret_manager.create_secret(vault_path, secret_dict)
+
+    def get_secret(self, key: str) -> SecretRead:
+        """Get a secret by key."""
+        vault_path = self._get_vault_path("secrets", key)
+        raw_data = self.secret_manager.get_secret_by_key(vault_path)
+        # Convert stored dict back to schema
+        return SecretRead(**raw_data)
+
+    def update_secret(self, key: str, secret_data: SecretUpdate) -> str:
+        """Update an existing secret."""
+        vault_path = self._get_vault_path("secrets", key)
+        # Convert schema to dict, only include non-None values
+        update_dict = secret_data.model_dump(exclude_none=True)
+        return self.secret_manager.update_secret(vault_path, update_dict)
+
+    def delete_secret(self, key: str) -> str:
+        """Delete a secret."""
+        vault_path = self._get_vault_path("secrets", key)
+        return self.secret_manager.delete_secret(vault_path)
+
+# --------------------------------------------------------------------------
+# CONTEXT-SPECIFIC ACCESSORS
+# These classes implement the logic for building the vault path based on the context.
+# --------------------------------------------------------------------------
+class _RuntimeAccessor(_BaseAccessor):
+    def __init__(self, secret_manager: SecretManager, runtime_env: str, slug: str = None):
+        super().__init__(secret_manager)
+        self.runtime_env = runtime_env
+        self.slug = slug
+
+    def _get_vault_path(self, secret_type: str, key: str) -> str:
+        # Special case for git-ssh in runtime context
+        if secret_type == "git-ssh":
+            return f"{self.runtime_env}-{secret_type}-{self.slug}"
+
+        # Standard format for all other secret types
+        context = self.slug if self.slug else "global"
+        return f"{self.runtime_env}-{context}-{secret_type}-{key}"
+
+class _StudioAccessor(_BaseAccessor):
+    def __init__(self, secret_manager: SecretManager, user_name: str):
+        super().__init__(secret_manager)
+        self.user_name = user_name
+
+    def _get_vault_path(self, secret_type: str, key: str) -> str:
+        return f"{self.user_name}-{secret_type}-{key}"
+
+# --------------------------------------------------------------------------
+# PUBLIC INTERFACE CLASS
+# This is the class external systems will interact with.
+# --------------------------------------------------------------------------
+class SecretsService:
+    def __init__(self, secret_manager: SecretManager):
+        self._secret_manager = secret_manager
+
+    def runtime(self, env: str, slug: str = None) -> _RuntimeAccessor:
+        """Sets the context to RUNTIME and returns the appropriate accessor."""
+        return _RuntimeAccessor(self._secret_manager, env, slug)
+
+    def studio(self, user: str) -> _StudioAccessor:
+        """Sets the context to STUDIO and returns the appropriate accessor."""
+        return _StudioAccessor(self._secret_manager, user)