Skip to content

Using KMS encrypted passwords in Python

Typical usage of Python scripts in Matillion ETL involve the inclusion of credentials. It is always ill-advised to store a password in plaintext in a component.

Matillion ETL does not allow Python scripts to take passwords directly from the Password Manager, as this would allow users to print stored passwords within the client.

The solution is for the user to decrypt their own passwords from within a Python Script.

Instructions

  1. Import the required modules. This example uses boto3 and base64.

    import boto3
import base64

  2. Encrypt the password or client secret before including it in a Matillion ETL Python script. Do this using the AWS CLI command:

    aws kms encrypt --key-id <keyid> --plaintext <clientsecret>

    Where keyid is your KMS key ID and clientsecret is the plaintext to be encrypted—in this case, your password or client secret. To learn more, read Encrypt.

  3. Once encrypted, you can safely store the credential in your Python script using the variable kms_encrypted_secret.

    kms_encrypted_secret = "MyEncryptedSecret"

  4. Set a variable, client to the AWS KMS client class.

    client = boto3.client('kms')

  5. Call AWS to decrypt (a method of the client class stored above) the encrypted password or secret. This needs to be Base64-encoded.

    decrypted_key = client.decrypt(CiphertextBlob=base64.b64decode(kms_encrypted_secret))

  6. Set the returned value to a variable. In this case, client_secret.

client_secret = decrypted_key['Plaintext']

Note

If you have chosen different names for your variables, make sure to amend the copyable text above.

Warning

Note that the client_secret can still be printed and exposed.

Example

import boto3
import base64

###################################################################################
# Set client_id from the API provider to get access token for. 

# The client secret below should be KMS encrypted, this can be done via the aws command line.
# Example - aws kms encrypt --key-id <your key id> --plaintext <client secret>
# The results of which should be copied below.

kms_encrypted_secret = "AQECAHg+HylJSUf4LDePe5tdYU5K/SBuMmi5+Ho+Cwqoym7hBgAAAHIwcAYJKoZIhvcNAQcGoGMwYQIBADBcBgkqhkiG9w0BGwEwHgYJYIZIAWUDBAEuUBOSCCigq0ubRf++flIaigIBEIAvhDSvD43P7M1MSq3dcX8yMqzfN4TF6xF+bNu/L6MV6M95Zcdn4Qze5uuH1OYUXEY="

###################################################################################

client = boto3.client('kms')

# Call AWS to decrypt encrypted secret (needs to be base64encoded)
decrypted_key = client.decrypt(CiphertextBlob=base64.b64decode(kms_encrypted_secret))

# Set returned value to client_secret variable
client_secret = decrypted_key['Plaintext']

# Don't print this unless you really need to!
# print client_secret