constellation_utils.secrets

Public secrets API.

Top-level functions return frozen Pydantic models holding the resolved credential values. Each function is cached per-process so repeated calls are free.

Auth flows:

  • Laptops: op CLI uses the desktop app’s biometric-unlocked session.

  • Rigs / unattended: same op CLI consumes OP_SERVICE_ACCOUNT_TOKEN from the environment without a desktop app.

  • Tests / CI: if R2_ACCESS_KEY_ID is already set in env, the env backend short-circuits the op CLI entirely.

Profile selection: CONSTELLATION_PROFILE=testing|production (default testing).

Submodules

Package Contents

Functions

r2

Return the R2 credentials for the current profile.

cloudflare

Return the Cloudflare account API credentials for the current profile.

API

constellation_utils.secrets.r2() constellation_utils.secrets.models.R2Secrets[source]

Return the R2 credentials for the current profile.

Reads from 1Password via the op CLI by default, or from R2_* env vars in test/CI environments. Cached for the lifetime of the process.

Raises ConstellationAuthError if no auth backend is available (e.g. op is not installed and R2_ACCESS_KEY_ID is not set).

constellation_utils.secrets.cloudflare() constellation_utils.secrets.models.CloudflareSecrets[source]

Return the Cloudflare account API credentials for the current profile.

Reads from 1Password via the op CLI by default, or from CLOUDFLARE_API_TOKEN + CLOUDFLARE_ACCOUNT_ID env vars in test/CI environments. Cached for the lifetime of the process.

Raises ConstellationAuthError if the cloudflare: block is missing from the active profile’s YAML, or if no auth backend is available.