websauna.utils.secrets module

INI-file based secrets reading.

exception websauna.utils.secrets.MissingSecretsEnvironmentVariable[source]

Bases: Exception

Thrown when we try to interpolate an environment variable that does not exist.

websauna.utils.secrets.read_ini_secrets(secrets_file, strict=True)[source]

Read plaintext .INI file to pick up secrets.

Dummy secrets handler which does not have encryption. Reads INI file. Creates dictionary keys in format [ini section name].[ini key name] = value. Entries with a leading $ are environment variable expansions.

Example INI contents:

secret = CHANGEME

# This is a secret seed used in various OAuth related keys
secret = CHANGEME


The following secrets_file formats are supported

  • A path relative to the current working directory, e.g. test-secrets.ini

  • Absolute path using file:// URL: file:///etc/myproject/mysecrets.ini

  • A path relative to deployed Python package. E.g. resource://websauna/conf/test-settings.ini

  • secrets_file – URI like resource://websauna/conf/test-settings.ini

  • strict – Bail out in the environment variable expansion if the environment variable is not. Useful e.g. for testing when all users are not assumed to know all secrets. In non-strict mode if the environment variable is missing the secret value is set to None.

Return type



ConfigParser instance.


Resolve secrets location.