Add Akeyless Secret Store/SSH Plugin

.flake8

@@ -117,6 +117,11 @@ per-file-ignores =
   # additionally test docstrings don't need param lists (DAR, DCO020):
   tests/**.py: DAR, DCO020, S101, S105, S108, S404, S603, WPS202, WPS210, WPS430, WPS436, WPS441, WPS442, WPS450
 
+  # The following ignores have been researched and should be considered permanent:
+  # WPS202: two-plugin module (secret store + SSH) with Protocol types, TypedDicts,
+  # and multiple helpers per plugin; restructuring would harm readability.
+  src/awx_plugins/credentials/akeyless.py: WPS202
+
   # The following ignores must be fixed and the entries removed from this config:
   src/awx_plugins/credentials/aim.py: ANN003, ANN201, B950, CCR001, D100, D103, LN001, Q003, WPS210, WPS221, WPS223, WPS231, WPS336, WPS432
   src/awx_plugins/credentials/aws_secretsmanager.py: ANN003, ANN201, D100, D103, WPS111, WPS210, WPS329, WPS529

.mypy.ini

@@ -62,6 +62,15 @@ warn_unused_ignores = true
 # crashes with some decorators like `@functools.cache`:
 disallow_any_expr = false
 
+[mypy-awx_plugins.credentials.akeyless]
+# The akeyless SDK does not ship type stubs. These suppressions are needed
+# until the SDK gains proper typing support:
+disallow_any_expr = false
+disallow_any_unimported = false
+disallow_any_explicit = false
+disallow_untyped_calls = false
+warn_return_any = false
+
 [mypy-awx_plugins.credentials.aws_secretsmanager]
 # crashes with some decorators like `@functools.cache`:
 disallow_any_expr = false
@@ -106,8 +115,23 @@ disallow_any_expr = false
 # crashes with some decorators like `@tox.plugin.impl`:
 disallow_any_expr = false
 
+[mypy-akeyless]
+# The akeyless SDK does not ship type stubs:
+ignore_missing_imports = true
+
+[mypy-akeyless.*]
+# The akeyless SDK does not ship type stubs:
+ignore_missing_imports = true
+
 [mypy-tests.*]
 # crashes with some decorators like `@pytest.mark.parametrize`:
 disallow_any_expr = false
 # fails on `@hypothesis.given()`:
 disallow_any_decorated = false
+# fixture return types like `Callable[..., object]` use `...` as Any:
+disallow_any_explicit = false
+
+[mypy-tests.akeyless_test]
+# Mock API objects are typed as `object`; test kwargs use generic dict
+# rather than the specific TypedDicts the plugin functions expect:
+disable_error_code = attr-defined, arg-type

.pre-commit-config.yaml

@@ -319,6 +319,7 @@ repos:
     - pytest-mock  # needed by pylint-pytest since it picks up pytest's args
     - pytest-subtests  # needed by pylint-pytest since it picks up pytest's args
     - pytest-xdist  # needed by pylint-pytest since it picks up pytest's args
+    - akeyless >= 5.0.8  # needed by credentials.akeyless and its tests
     - python-dsv-sdk  # needed by credentials.dsv, credentials.thycotic_dsv
     - PyYAML  # needed by credentials.injectors, inventory.plugins
     - Sphinx  # needed by the Sphinx extension stub

.pylintrc.toml

@@ -106,7 +106,11 @@ py-version = "3.11"
 # source root is an absolute path or a path relative to the current working
 # directory used to determine a package namespace for modules located under the
 # source root.
-# source-roots =
+# Setting src/ prevents pylint from adding individual credential module
+# directories to sys.path, which would cause false "module imports itself"
+# warnings and circular-import errors for files with the same name as their
+# third-party dependencies (e.g. akeyless.py vs the akeyless SDK):
+source-roots = ["src"]
 
 # Allow loading of arbitrary C extensions. Extensions are imported into the
 # active Python interpreter and may run arbitrary code.

.ruff.toml

@@ -173,6 +173,9 @@ testing = [
   "S101",    # Allow use of `assert` in test files
   "S105",    # hardcoded-password-string
   "S106",    # hardcoded-password-func-arg
+  "S107",    # hardcoded-password-func-default: test helper factories use
+             # credential-like param names (token, secret_data) as configurable
+             # defaults — these are never real credentials
   "S108",    # tmp dirs
   "S404",    # Allow importing 'subprocess' module to testing call external tools needed by these hooks
   "S603",    # subprocess calls

docs/conf.py

@@ -234,6 +234,12 @@
         'awx_plugins.interfaces._temporary_private_credential_api.Credential',
     ),
     ('py:class', 'EnvVarsType'),
+    # Akeyless SDK types: auto-generated from OpenAPI
+    # without type annotations or .pyi stubs
+    ('py:class', 'akeyless.models.auth.Auth'),
+    ('py:class', 'akeyless.models.describe_item.DescribeItem'),
+    ('py:class', 'akeyless.models.get_secret_value.GetSecretValue'),
+    ('py:class', 'akeyless.models.get_ssh_certificate.GetSSHCertificate'),
 ]
 
 

docs/spelling_wordlist.txt

@@ -1,3 +1,4 @@
+Akeyless
 Ansible
 Approle
 async

pyproject.toml

@@ -77,6 +77,8 @@ centrify_vault_kv = "awx_plugins.credentials.centrify_vault:centrify_plugin"
 thycotic_dsv = "awx_plugins.credentials.dsv:dsv_plugin"
 thycotic_tss = "awx_plugins.credentials.tss:tss_plugin"
 aws_secretsmanager_credential = "awx_plugins.credentials.aws_secretsmanager:aws_secretmanager_plugin"
+akeyless = "awx_plugins.credentials.akeyless:akeyless_plugin"
+akeyless_ssh = "awx_plugins.credentials.akeyless:akeyless_ssh_plugin"
 github_app_lookup = "awx_plugins.credentials.github_app:github_app_lookup"
 
 [project.entry-points."awx_plugins.managed_credentials"] # new entry points group name
@@ -189,6 +191,14 @@ credentials-aws-secretsmanager-credential = [
   "awx_plugins.interfaces",
   "boto3",
 ]
+credentials-akeyless = [
+  "awx_plugins.interfaces",
+  "akeyless >= 5.0.8",
+]
+credentials-akeyless-ssh = [
+  "awx_plugins.interfaces",
+  "akeyless >= 5.0.8",
+]
 inventory-azure-rm = [
   "awx_plugins.interfaces",
   "PyYAML",

pytest.ini

@@ -1,4 +1,8 @@
 [pytest]
+# Add src/ to sys.path so tests can import the package even in environments
+# where `pip install -e .` has not been run (e.g. the pre-commit pylint venv):
+pythonpath = src
+
 addopts =
   # `pytest-xdist`:
   --numprocesses=auto