A custom Django field that integrates with the 1Password op CLI to securely access secrets via the op:// secret reference URI.
- Python 3.8, 3.9, 3.10, 3.11, 3.12
- Django 4.2, 5.0
- 1Password CLI and a 1Password Service Account
-
Install the package from PyPI:
python -m pip install django-opfield
-
Install the 1Password
opCLI tool, making sure it is callable from wherever your application is running. -
Create a 1Password service account and make the service account's token available to your application.
Choose one option:
-
Set the
OP_SERVICE_ACCOUNT_TOKENenvironment variable -
Configure in your application's
settings.py:# settings.py DJANGO_OPFIELD = { # Explicitly set here only as an example # Use whatever configuration/environment library you prefer # (`python-dotenv`, `django-environs`, `environs`, etc.) "OP_SERVICE_ACCOUNT_TOKEN": "super-secret-token", }
-
OPField allows Django models to securely access secrets stored in a 1Password vault, enabling the integration of sensitive data without exposing it directly in your codebase. Secrets are stored using the op:// URI scheme and can be retrieved dynamically using a corresponding model attribute, <field_name>_secret.
First, let's define a model that includes the OPField. This field will store the reference to the secret in 1Password, not the secret itself.
from django.db import models
from django_opfield.fields import OPField
class APIService(models.Model):
name = models.CharField(max_length=255)
api_key = OPField()
def __str__(self):
return self.nameAssume you have a secret API key stored in a 1Password vault named "my_vault" under the item "my_api" with the field "api_key". Here's how you can store and access this secret within your Django project:
>>> from example.models import APIService
>>> my_api = APIService.objects.create(
... name="My API", api_key="op://my_vault/my_api/api_key"
... )
>>> print(my_api)
<APIService: My API>
>>> print(my_api.name)
'My API'
>>> print(my_api.api_key)
'op://my_vault/my_api/api_key'
>>> # Retrieving the actual secret value is done using the automatically generated '_secret' attribute
>>> print(my_api.api_key_secret)
'your_super_secret_api_token_here'Only the URI reference to the secret is ever stored and exposed in the Django admin interface and the database. The actual secret itself is never stored and is only retrieved dynamically when accessed. This approach enables secure management and access to secrets throughout your Django application, safeguarding against potential security vulnerabilities associated with direct exposure.
Please refer to the documentation for more information.
django-opfield is licensed under the MIT license. See the LICENSE file for more information.