Skip to content

Secrets

thoth.shared.utils.secrets

Google Cloud Secret Manager integration for secure credential management.

logger = setup_logger(__name__) module-attribute

SecretManagerClient

Client for reading secrets from Google Cloud Secret Manager.

Provides lazy-initialization of the Secret Manager API client and fallback to environment variables when the API is unavailable or when running locally. Used for GitLab tokens, GCP credentials, etc.

project_id = project_id or os.getenv('GCP_PROJECT_ID') instance-attribute

__init__(project_id: str | None = None)

Initialize the Secret Manager client (API not called until first use).

Parameters:

Name Type Description Default
project_id str | None

GCP project ID for Secret Manager. If None, uses the GCP_PROJECT_ID environment variable.

 None

Returns:

Type Description

None.

get_secret(secret_id: str, version: str = 'latest') -> str | None cached

Get a secret value from Secret Manager.

Parameters:

Name Type Description Default
secret_id str

The ID of the secret to retrieve

 required
version str

The version of the secret (default: "latest")

 'latest'

Returns:

Type Description
str | None

The secret value as a string, or None if not found

get_gitlab_token() -> str | None

Get GitLab access token.

Returns:

Type Description
str | None

GitLab token or None

get_gitlab_url() -> str

Get GitLab base URL.

Returns:

Type Description
str

GitLab URL (defaults to https://gitlab.com)

get_google_credentials() -> str | None

Get Google application credentials JSON.

Returns:

Type Description
str | None

Credentials JSON string or None

get_secret_manager() -> SecretManagerClient

Return the global SecretManagerClient singleton, creating it if needed.

Uses a module-level variable so that all callers share the same client and lazy-initialization happens only once.

Returns:

Type Description
SecretManagerClient

The global SecretManagerClient instance.