Migrate Python Applications

Before you follow the steps in this guide, migrate your secrets from SecretHub to 1Password.

1. Set up a 1Password Connect Server

With SecretHub, all integrations connect directly to the SecretHub API. Every time a secret is used, the encrypted data is fetched from the SecretHub servers. In contrast, with 1Password Secrets Automation, you can securely access secrets in your company’s apps and cloud infrastructure using a private REST API provided by a self-hosted 1Password Connect server, which uses 1Password.com as a backend. This means secrets are served to your applications with very low latency and in the rare event that the 1Password.com API is down, your secrets are still served from the Connect server.

Your applications fetch secrets from Connect using any of the integrations or by using the Connect API directly.

Secrets served to your applications via the Connect Server.
Secrets served to your applications via the Connect Server.

Follow the steps to get started with a 1Password Secrets Automation workflow and deploy the Connect server using your credentials. You’ll also get an access token to authenticate your application with the REST API.

2. Use the 1Password Connect SDK

Use the 1Password Connect SDK to load secrets into your Python applications.

You can use dictionaries with opitem and opfield keys to load multiple secrets directly into a dict. For example:

from onepasswordconnectsdk.client import (
  Client,
  new_client_from_environment
)

# Set OP_CONNECT_TOKEN environment variable to configure this client.
client: Client = new_client_from_environment(os.getenv("OP_CONNECT_HOST"))

config = onepasswordconnectsdk.load_dict(client, {
    "database": {
        "opitem": "Database",
        "opfield": ".database",
    },
    "username": {
        "opitem": "Database",
        "opfield": ".username",
    },
    "password": {
        "opitem": "Database",
        "opfield": ".password",
    },
})

# Use the config
config.username

If you want to use different secrets for each environment, use a unique vault for each one. You can specify the vault you want to use with the OP_VAULT environment variable.

The OP_CONNECT_HOST is specified in the environment. You’ll need to configure the environment to point to the hostname or IP address of the Connect server you set up in the first step of this guide. Some possible values are:

  • connect-api:8080 if the Connect server is running in the same Kubernetes cluster as your application.
  • localhost:8080 if the Connect server is running in Docker on the same host.
  • <ip>:8080 or <hostname>:8080 if the Connect server is running on another host.

Use the access token you created when setting up 1Password Secrets Automation to set the OP_CONNECT_TOKEN. If you want to use other applications with the same Connect server, learn how to issue additional access tokens.

Your secrets are now provisioned to your Python applications with 1Password! 🎉