secret-vault 0.15.0

Library provides a secure vault to store application secrets in memory coming from Google/AWS/other secret managers
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94

//! # Secret Vault for Rust
//!
//! Library provides a secure memory-backed storage of secrets coming to your application
//! from external sources:
//!
//! - Google Cloud Secret Manager
//! - Amazon Secrets Manager
//!
//! ## Features
//! - Caching registered secrets in memory from sources;
//! - Extensible and strongly typed API to be able to implement any kind of sources;
//! - Memory encryption using AEAD cryptography (optional);
//! - Memory encryption using Google/AWS KMS envelope encryption (https://cloud.google.com/kms/docs/envelope-encryption) (optional);
//! - Automatic refresh secrets from the sources support (optional);
//! - Multi-sources support;
//!
//! ```rust,ignore
//!
//!     // Describing secrets and marking them non-required
//!    // since this is only example and they don't exist in your project
//!    let secret_ref1 = SecretVaultRef::new("test-secret-xRnpry".into())
//!        .with_required(false)
//!        .with_secret_version("AWSCURRENT".into());
//!    let secret_ref2 = SecretVaultRef::new("another-secret-222222".into()).with_required(false);
//!
//!    // Building the vault
//!    let mut vault = SecretVaultBuilder::with_source(
//!        aws::AwsSecretManagerSource::new(&config_env_var("ACCOUNT_ID")?, None).await?,
//!    )
//!    .with_encryption(ring_encryption::SecretVaultRingAeadEncryption::new()?)
//!    .build()?;
//!
//!    // Registering your secrets and receiving them from source
//!    vault
//!        .register_secrets_refs(vec![&secret_ref1, &secret_ref2])
//!        .refresh()
//!        .await?;
//!
//!    // Reading the secret
//!    let secret_value: Option<Secret> = vault.get_secret_by_ref(&secret_ref1).await?;
//!
//!    // Using the Viewer API to share only methods able to read secrets
//!    let vault_viewer = vault.viewer();
//!    vault_viewer.get_secret_by_ref(&secret_ref2).await?;
//! ```
//!
//! ## Examples, more detail docs and security considerations and benchmarks:
//! Available on github: https://github.com/abdolence/secret-vault-rs
//!
//! ```

#![allow(unused_parens, clippy::new_without_default, clippy::needless_update)]
#![forbid(unsafe_code)]

mod encryption;
pub use encryption::*;

pub mod errors;
mod secrets_source;
pub use secrets_source::*;

mod simple_sources;
pub use simple_sources::*;

mod vault_store;

mod common_types;
pub use common_types::*;

#[cfg(feature = "ring-aead-encryption")]
pub mod ring_encryption;

#[cfg(feature = "gcp")]
pub mod gcp;

#[cfg(feature = "aws")]
pub mod aws;

pub type SecretVaultResult<T> = std::result::Result<T, errors::SecretVaultError>;

mod vault;
pub use vault::*;

mod vault_builder;
pub use vault_builder::SecretVaultBuilder;

mod vault_viewer;
pub use vault_viewer::*;

mod vault_auto_refresher;
pub use vault_auto_refresher::*;

mod multiple_sources;
pub use multiple_sources::*;