Add support for AWS Secrets Manager

Author: mavwolverine

Makefile

@@ -13,7 +13,7 @@ refresh-lockfiles:
 	find requirements/ -name '*.txt' ! -name 'all.txt' -type f -delete
 	pip-compile -q --no-emit-index-url --resolver backtracking -o requirements/linting.txt requirements/linting.in
 	pip-compile -q --no-emit-index-url --resolver backtracking -o requirements/testing.txt requirements/testing.in
-	pip-compile -q --no-emit-index-url --resolver backtracking --extra toml --extra yaml --extra azure-key-vault -o requirements/pyproject.txt pyproject.toml
+	pip-compile -q --no-emit-index-url --resolver backtracking --extra toml --extra yaml --extra azure-key-vault --extra aws-secrets-manager -o requirements/pyproject.txt pyproject.toml
 	pip install --dry-run -r requirements/all.txt
 
 .PHONY: format

pydantic_settings/__init__.py

@@ -1,6 +1,7 @@
 from .main import BaseSettings, CliApp, SettingsConfigDict
 from .sources import (
     CLI_SUPPRESS,
+    AWSSecretsManagerSettingsSource,
     AzureKeyVaultSettingsSource,
     CliExplicitFlag,
     CliImplicitFlag,
@@ -50,6 +51,7 @@
     'TomlConfigSettingsSource',
     'YamlConfigSettingsSource',
     'AzureKeyVaultSettingsSource',
+    'AWSSecretsManagerSettingsSource',
     'get_subcommand',
     '__version__',
 )

pydantic_settings/sources.py

@@ -111,6 +111,19 @@ def import_azure_key_vault() -> None:
         ) from e
 
 
+def import_aws_secrets_manager() -> None:
+    global boto3_client
+    global SecretsManagerClient
+
+    try:
+        from boto3 import client as boto3_client
+        from mypy_boto3_secretsmanager.client import SecretsManagerClient
+    except ImportError as e:
+        raise ImportError(
+            'AWS Secrets Manager dependencies are not installed, run `pip install pydantic-settings[aws-secrets-manager]`'
+        ) from e
+
+
 DotenvType = Union[Path, str, Sequence[Union[Path, str]]]
 PathType = Union[Path, str, Sequence[Union[Path, str]]]
 DEFAULT_PATH: PathType = Path('')
@@ -2250,6 +2263,43 @@ def __repr__(self) -> str:
         return f'{self.__class__.__name__}(url={self._url!r}, ' f'env_nested_delimiter={self.env_nested_delimiter!r})'
 
 
+class AWSSecretsManagerSettingsSource(EnvSettingsSource):
+    _secret_id: str
+    _secretsmanager_client: SecretsManagerClient  # type: ignore
+
+    def __init__(
+        self,
+        settings_cls: type[BaseSettings],
+        secret_id: str,
+        env_prefix: str | None = None,
+        env_parse_none_str: str | None = None,
+        env_parse_enums: bool | None = None,
+    ) -> None:
+        import_aws_secrets_manager()
+        self._secretsmanager_client = boto3_client('secretsmanager')  # type: ignore
+        self._secret_id = secret_id
+        super().__init__(
+            settings_cls,
+            case_sensitive=True,
+            env_prefix=env_prefix,
+            env_nested_delimiter='--',
+            env_ignore_empty=False,
+            env_parse_none_str=env_parse_none_str,
+            env_parse_enums=env_parse_enums,
+        )
+
+    def _load_env_vars(self) -> Mapping[str, Optional[str]]:
+        response = self._secretsmanager_client.get_secret_value(SecretId=self._secret_id)
+
+        return json.loads(response['SecretString'])
+
+    def __repr__(self) -> str:
+        return (
+            f'{self.__class__.__name__}(secret_id={self._secret_id!r}, '
+            f'env_nested_delimiter={self.env_nested_delimiter!r})'
+        )
+
+
 def _get_env_var_key(key: str, case_sensitive: bool = False) -> str:
     return key if case_sensitive else key.lower()
 

pyproject.toml

@@ -47,9 +47,10 @@ dependencies = [
 dynamic = ['version']
 
 [project.optional-dependencies]
-yaml = ["pyyaml>=6.0.1"]
+yaml = ["pyyaml>=6.0.2"]
 toml = ["tomli>=2.0.1"]
 azure-key-vault = ["azure-keyvault-secrets>=4.8.0", "azure-identity>=1.16.0"]
+aws-secrets-manager = ["boto3>=1.35.0", "boto3-stubs[secretsmanager]"]
 
 [project.urls]
 Homepage = 'https://github.com/pydantic/pydantic-settings'

requirements/linting.in

@@ -3,5 +3,6 @@ ruff
 pyupgrade
 mypy
 types-PyYAML
-pyyaml==6.0.1
+pyyaml==6.0.2
 pre-commit
+boto3-stubs[secretsmanager]

requirements/linting.txt

@@ -6,6 +6,10 @@
 #
 black==24.8.0
     # via -r requirements/linting.in
+boto3-stubs[secretsmanager]==1.37.8
+    # via -r requirements/linting.in
+botocore-stubs==1.37.8
+    # via boto3-stubs
 cfgv==3.4.0
     # via pre-commit
 click==8.1.7
@@ -18,6 +22,8 @@ identify==2.6.0
     # via pre-commit
 mypy==1.11.2
     # via -r requirements/linting.in
+mypy-boto3-secretsmanager==1.37.0
+    # via boto3-stubs
 mypy-extensions==1.0.0
     # via
     #   black
@@ -36,7 +42,7 @@ pre-commit==3.5.0
     # via -r requirements/linting.in
 pyupgrade==3.16.0
     # via -r requirements/linting.in
-pyyaml==6.0.1
+pyyaml==6.0.2
     # via
     #   -r requirements/linting.in
     #   pre-commit
@@ -48,8 +54,12 @@ tomli==2.0.1
     # via
     #   black
     #   mypy
+types-awscrt==0.23.10
+    # via botocore-stubs
 types-pyyaml==6.0.12.20240808
     # via -r requirements/linting.in
+types-s3transfer==0.11.4
+    # via boto3-stubs
 typing-extensions==4.12.2
     # via
     #   black

requirements/pyproject.txt

@@ -2,7 +2,7 @@
 # This file is autogenerated by pip-compile with Python 3.13
 # by the following command:
 #
-#    pip-compile --extra=azure-key-vault --extra=toml --extra=yaml --no-emit-index-url --output-file=requirements/pyproject.txt pyproject.toml
+#    pip-compile --extra=aws-secrets-manager --extra=azure-key-vault --extra=toml --extra=yaml --no-emit-index-url --output-file=requirements/pyproject.txt pyproject.toml
 #
 annotated-types==0.7.0
     # via pydantic
@@ -14,6 +14,16 @@ azure-identity==1.17.1
     # via pydantic-settings (pyproject.toml)
 azure-keyvault-secrets==4.8.0
     # via pydantic-settings (pyproject.toml)
+boto3==1.37.8
+    # via pydantic-settings (pyproject.toml)
+boto3-stubs[secretsmanager]==1.37.8
+    # via pydantic-settings (pyproject.toml)
+botocore==1.37.8
+    # via
+    #   boto3
+    #   s3transfer
+botocore-stubs==1.37.8
+    # via boto3-stubs
 certifi==2024.8.30
     # via requests
 cffi==1.17.1
@@ -29,12 +39,18 @@ idna==3.8
     # via requests
 isodate==0.6.1
     # via azure-keyvault-secrets
+jmespath==1.0.1
+    # via
+    #   boto3
+    #   botocore
 msal==1.31.0
     # via
     #   azure-identity
     #   msal-extensions
 msal-extensions==1.2.0
     # via azure-identity
+mypy-boto3-secretsmanager==1.37.0
+    # via boto3-stubs
 portalocker==2.10.1
     # via msal-extensions
 pycparser==2.22
@@ -47,20 +63,28 @@ pyjwt[crypto]==2.9.0
     # via
     #   msal
     #   pyjwt
+python-dateutil==2.9.0.post0
+    # via botocore
 python-dotenv==1.0.1
     # via pydantic-settings (pyproject.toml)
-pyyaml==6.0.1
+pyyaml==6.0.2
     # via pydantic-settings (pyproject.toml)
 requests==2.32.3
     # via
     #   azure-core
     #   msal
+s3transfer==0.11.4
+    # via boto3
 six==1.16.0
     # via
     #   azure-core
     #   isodate
 tomli==2.0.1
     # via pydantic-settings (pyproject.toml)
+types-awscrt==0.23.10
+    # via botocore-stubs
+types-s3transfer==0.11.4
+    # via boto3-stubs
 typing-extensions==4.12.2
     # via
     #   azure-core
@@ -71,5 +95,7 @@ typing-extensions==4.12.2
     #   typing-inspection
 typing-inspection==0.4.0
     # via pydantic-settings (pyproject.toml)
-urllib3==2.2.2
-    # via requests
+urllib3==2.3.0
+    # via
+    #   botocore
+    #   requests