Skip to content

VaultSource#

VaultSource loads configuration from HashiCorp Vault KV secrets engines. It is the shipped implementation of the abstract RemoteSource base class.

Quickstart#

Install the extra (pulls hvac):

pip install dature[vault]              # runtime only
pip install dature[vault,type-stubs]   # runtime + mypy/pyright stubs for hvac
import os
from dataclasses import dataclass

import dature


@dataclass
class Config:
    db_password: str
    port: int
    name: str


config = dature.load(
    dature.VaultSource(
        url=os.environ["VAULT_ADDR"],
        token=os.environ["VAULT_TOKEN"],
        path="myapp/config",
    ),
    schema=Config,
)

assert config == Config(db_password="s3cret", port=5432, name="myapp")  # noqa: S106

VaultSource fields#

  • url — Vault address.
  • path — secret path inside the mount (required).
  • token or role_id + secret_id — authentication (mutually exclusive).
  • mount_point — secrets engine mount; default "secret".
  • kv_version1 or 2; default 2.
  • namespace — Vault Enterprise namespace.
  • verify — TLS verification (True, a CA bundle path, or False).

Global configuration via configure()#

Connection settings rarely change per-call, so they can be set once via dature.configure(vault={...}) (or the matching DATURE_VAULT__* env vars):

import os
from dataclasses import dataclass

import dature


@dataclass
class Config:
    db_password: str
    port: int
    name: str


dature.configure(
    vault={
        "url": os.environ["VAULT_ADDR"],
        "token": os.environ["VAULT_TOKEN"],
    },
)

config = dature.load(dature.VaultSource(path="myapp/config"), schema=Config)

assert config == Config(db_password="s3cret", port=5432, name="myapp")  # noqa: S106

Precedence (highest first): instance fields → configure()DATURE_VAULT__* env. None on the instance means "fall through to the next layer". See Configure for the full picture.

Combining with other sources#

VaultSource composes with file/env/CLI sources via load() like any other source. A common pattern is JSON/YAML for non-sensitive defaults, Vault for secrets, env or CLI for last-mile overrides — order in load() controls precedence (default last_wins). See Merging.