Skip to content

credentials

sqllocks_spindle.fabric.credentials

Credential resolver — resolve secrets from env vars, Key Vault, files, or raw values.

Supports URI-style credential references so that connection strings and secrets are never hard-coded:

  • env://VARIABLE_NAME — read from environment variable
  • kv://vault-name/secret-name — read from Azure Key Vault (requires azure-identity + azure-keyvault-secrets)
  • file:///path/to/secret.txt — read from a local file (first line, stripped)
  • Any other value — passed through as-is (raw)

Usage::

from sqllocks_spindle.fabric.credentials import CredentialResolver

resolver = CredentialResolver()
conn_str = resolver.resolve("env://SPINDLE_SQL_CONNECTION")
secret   = resolver.resolve("kv://my-vault/my-secret")
raw      = resolver.resolve("Server=localhost;Database=db")

Classes

CredentialResolver

Resolve credential references into concrete secret values.

The resolver supports four URI schemes:

  • env://VAR — environment variable lookup
  • kv://vault/secret — Azure Key Vault lookup (lazy import)
  • file:///path — read secret from a local file
  • Anything else — returned verbatim (raw passthrough)

Parameters:

Name Type Description Default
cache bool

If True (default), resolved values are cached for the lifetime of the resolver instance so that repeated lookups (especially Key Vault) are fast.

True
Methods:
resolve(ref)

Resolve a credential reference to its concrete value.

Parameters:

Name Type Description Default
ref str

A credential URI (env://, kv://, file://) or a raw value string.

required

Returns:

Type Description
str

The resolved secret string.

Raises:

Type Description
CredentialError

If the reference cannot be resolved.

clear_cache()

Clear all cached credential values.

CredentialError

Bases: Exception

Raised when a credential reference cannot be resolved.