Secret Provider¶
Status: Available in ETLantic 0.5+ (protocol in
etlantic.secrets). Built-in providers: environment variables and mounted files. Optional OS keyring viaetlantic-keyring. AWS Secrets Manager / Vault remain future design.
A Secret Provider resolves logical SecretRef objects into short-lived,
redacted values for authorized runtime consumers.
Responsibilities¶
A provider:
- declares supported reference forms via
SecretProviderDescriptor - retrieves a secret only during execution (never during planning)
- returns a protected
SecretValue - applies bounded in-memory cache policy where appropriate
- closes clients where supported
A provider must not add values to plans, log request or response bodies, or define pipeline semantics.
Shipped Protocol¶
from collections.abc import AsyncIterator
from typing import Protocol
from etlantic.secrets import (
ProviderContext,
SecretProvider,
SecretProviderDescriptor,
SecretRef,
SecretResolutionContext,
SecretValue,
)
class SecretProvider(Protocol):
@property
def descriptor(self) -> SecretProviderDescriptor: ...
async def resolve(
self,
reference: SecretRef,
context: SecretResolutionContext,
) -> SecretValue: ...
async def lifespan(self, context: ProviderContext) -> AsyncIterator[None]: ...
Built-ins:
from etlantic.secrets import EnvSecretProvider, MountedFileSecretProvider
env = EnvSecretProvider(prefix="ETLANTIC_SECRET_")
files = MountedFileSecretProvider(root="/run/secrets")
Conformance¶
Third-party providers should pass
etlantic.testing.run_secret_conformance_suite(provider).
Production profiles¶
Use Profile.plugin_allowlist for engine plugins. Secret providers are
attached to the runtime / profile configuration—never embed resolved values in
plans or reports. See
Secrets Management and
Runtime configuration.
Not shipped¶
- AWS Secrets Manager / HashiCorp Vault providers
- TOML-based secret backend selection (
etlantic.toml)
Next Step¶
Continue with Testing Plugins for conformance suites, or Secrets Management for operator guidance.