Quick Start¶

1. Install¶

Bash

pip install credential-bridge

2. Choose a backend¶

.env File (simplest)System KeyringHashiCorp Vault

No server required. Great for local development.

Python

from credential_bridge import SecretsManager

sm = SecretsManager("env", path=".env")
# "database" is the group label written as a comment header in the file
sm.add_secret("database", {"DB_HOST": "localhost", "DB_PORT": "5432"})

# Retrieve a single key by its env-var name
result = sm.get_secret("DB_HOST")
print(result["DB_HOST"])  # localhost

# Or retrieve all keys in a group by the group label
result = sm.get_secret("database")
print(result)  # {"DB_HOST": "localhost", "DB_PORT": "5432"}

Via CLI:

Bash

cb env add database --secret DB_HOST=localhost --secret DB_PORT=5432
cb env get DB_HOST           # single key
cb env get database          # whole group
cb env list

OS-encrypted local credential storage.

Python

from credential_bridge import SecretsManager

sm = SecretsManager("keyring", service_name="myapp")
sm.add_secret("github_token", {"github_token": "ghp_abc123"})

result = sm.get_secret("github_token")
print(result["github_token"])  # ghp_abc123

Via CLI:

Bash

cb keyring add github_token --secret github_token=ghp_abc123 -s myapp
cb keyring get github_token -s myapp

Production-grade centralised secrets. Set VAULT_ADDR first.

Bash

export VAULT_ADDR=https://vault.example.com
export VAULT_TOKEN=s.your-token

Python

from credential_bridge import SecretsManager

sm = SecretsManager("vault")   # reads from env vars
sm.add_secret("myapp/database", {"user": "admin", "pass": "s3cr3t"})

result = sm.get_secret("myapp/database")
print(result["user"])  # admin

Via CLI:

Bash

cb vault add myapp/database --secret user=admin --secret pass=s3cr3t
cb vault get myapp/database

3. Handle errors¶

Python

from credential_bridge import (
    SecretsManager,
    CredentialBridgeError,
    VaultSecretNotFoundError,
    EnvFileNotFoundError,
)

sm = SecretsManager("env", path=".env")

try:
    result = sm.get_secret("MISSING_KEY")
except EnvFileNotFoundError:
    print("Key not in .env file")
except CredentialBridgeError as e:
    print(f"Error: {e}")

4. Switch backends with no code changes¶

The same five methods work across all backends:

Python

# Development
sm = SecretsManager("env", path=".env")

# Staging
sm = SecretsManager("keyring", service_name="myapp-staging")

# Production — just change the constructor
sm = SecretsManager("vault", vault_url="https://vault.example.com", vault_token="s.xxx")

# The rest of your code is identical
result = sm.get_secret("myapp/database")

5. Try the interactive wizard¶

Bash

cb wizard

The wizard guides you through all operations with tab-completion and masked secret input.

What's next?¶

Backend comparison — which backend fits your use case
SecretsManager — facade API and custom backends
CLI reference — all commands and flags