django-opfield¶
A custom Django field that integrates with the 1Password op
CLI to securely access secrets via the op://
secret reference URI.
Requirements¶
Python 3.8, 3.9, 3.10, 3.11, 3.12
Django 4.2, 5.0
Getting Started¶
Install the package from PyPI:
python -m pip install django-opfield
Install the 1Password
op
CLI tool, making sure it is callable from wherever your application is running.Create a 1Password service account and make the service account’s token available to your application.
Choose one option:
Set the
OP_SERVICE_ACCOUNT_TOKEN
environment variableConfigure in your application’s
settings.py
:# settings.py DJANGO_OPFIELD = { # Explicitly set here only as an example # Use whatever configuration/environment library you prefer # (`python-dotenv`, `django-environs`, `environs`, etc.) "OP_SERVICE_ACCOUNT_TOKEN": "super-secret-token", }
Usage¶
OPField
allows Django models to securely access secrets stored in a 1Password vault, enabling the integration of sensitive data without exposing it directly in your codebase. Secrets are stored using the op://
URI scheme and can be retrieved dynamically using a corresponding model attribute, <field_name>_secret
.
Defining a model¶
First, let’s define a model that includes the OPField
. This field will store the reference to the secret in 1Password, not the secret itself.
from django.db import models
from django_opfield.fields import OPField
class APIService(models.Model):
name = models.CharField(max_length=255)
api_key = OPField()
def __str__(self):
return self.name
Accessing the secret¶
Assume you have a secret API key stored in a 1Password vault named “my_vault” under the item “my_api” with the field “api_key”. Here’s how you can store and access this secret within your Django project:
>>> from example.models import APIService
>>> my_api = APIService.objects.create(
... name="My API", api_key="op://my_vault/my_api/api_key"
... )
>>> print(my_api)
<APIService: My API>
>>> print(my_api.name)
'My API'
>>> print(my_api.api_key)
'op://my_vault/my_api/api_key'
>>> # Retrieving the actual secret value is done using the automatically generated '_secret' attribute
>>> print(my_api.api_key_secret)
'your_super_secret_api_token_here'
Storing references, not secrets¶
Only the URI reference to the secret is ever stored and exposed in the Django admin interface and the database. The actual secret itself is never stored and is only retrieved dynamically when accessed. This approach enables secure management and access to secrets throughout your Django application, safeguarding against potential security vulnerabilities associated with direct exposure.
Documentation¶
Please refer to the documentation for more information.
License¶
django-opfield
is licensed under the MIT license. See the LICENSE
file for more information.