secret-vault 1.16.2

Library provides a secure vault to store securely application secrets in memory from Google/AWS/K8S and environment variables
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119

//! # Secret Vault for Rust
//!
//! Library provides the support for the secrets coming to your application from the following sources::
//!
//! - Google Cloud Secret Manager
//! - Amazon Secrets Manager
//! - Environment variables
//! - Files source (mostly designed to read K8S secrets mounted as files)
//! - Temporarily available secret generator generated by cryptographic pseudo-random number generator
//!
//! ## Features
//! - Reading/caching registered secrets and their metadata in memory from defined sources;
//! - Extensible and strongly typed API to be able to implement any kind of sources;
//! - Memory encryption using AEAD cryptography (optional);
//! - Memory encryption using Google/AWS KMS envelope encryption (https://cloud.google.com/kms/docs/envelope-encryption) (optional);
//! - Automatic refresh secrets from the sources support (optional);
//! - Multi-sources support;
//! - Snapshots for performance-critical secrets;
//!
//! ```rust,ignore
//!
//!     // Describing secrets and marking them non-required
//!    // since this is only example and they don't exist in your project
//!    let secret_ref1 = SecretVaultRef::new("test-secret-xRnpry".into())
//!        .with_required(false)
//!        .with_secret_version("AWSCURRENT".into());
//!    let secret_ref2 = SecretVaultRef::new("another-secret-222222".into()).with_required(false);
//!
//!    // Building the vault
//!    let vault = SecretVaultBuilder::with_source(
//!        aws::AwsSecretManagerSource::new(&config_env_var("ACCOUNT_ID")?).await?,
//!    )
//!    .with_encryption(ring_encryption::SecretVaultRingAeadEncryption::new()?)
//!    .with_secret_refs(vec![&secret_ref1, &secret_ref2])
//!    .build()?;
//!
//!    // Load secrets from source
//!    vault.refresh().await?;
//!
//!    // Reading the secret
//!    let secret_value: Option<Secret> = vault.get_secret_by_ref(&secret_ref1).await?;
//!
//!    // Or
//!    let secret_value: Secret = vault.require_secret_by_ref(&secret_ref1).await?;
//!
//!    // Using the Viewer API to share only methods able to read secrets
//!    let vault_viewer = vault.viewer();
//!    vault_viewer.get_secret_by_ref(&secret_ref2).await?;
//! ```
//!
//! ## Complete examples, more detail docs and security considerations and benchmarks:
//! Available on [github](https://github.com/abdolence/secret-vault-rs)
//!
//! ```

#![allow(unused_parens, clippy::new_without_default, clippy::needless_update)]
#![forbid(unsafe_code)]

#[cfg(all(
    feature = "gcp-base",
    not(feature = "gcp-tls-roots"),
    not(feature = "gcp-tls-webpki")
))]
compile_error!(
    "You must enable either \"gcp-tls-roots\" or \"gcp-tls-webpki\" when using GCP features"
);

#[cfg(all(feature = "gcp-tls-roots", feature = "gcp-tls-webpki"))]
compile_error!("You cannot enable both \"gcp-tls-roots\" and \"gcp-tls-webpki\" at the same time");

mod encryption;
pub use encryption::*;

pub mod errors;
mod secrets_source;
pub use secrets_source::*;

mod simple_sources;
pub use simple_sources::*;

mod vault_store;

mod common_types;
pub use common_types::*;

#[cfg(feature = "ring-aead-encryption")]
pub mod ring_encryption;

#[cfg(feature = "gcp-base")]
pub mod gcp;

#[cfg(feature = "aws")]
pub mod aws;

pub type SecretVaultResult<T> = std::result::Result<T, errors::SecretVaultError>;

mod vault;
pub use vault::*;

mod vault_builder;
pub use vault_builder::SecretVaultBuilder;

mod vault_viewer;
pub use vault_viewer::*;

mod snapshot;
pub use snapshot::*;

mod vault_snapshot;
pub use vault_snapshot::*;

mod vault_auto_refresher;
pub use vault_auto_refresher::*;

mod multiple_sources;
pub use multiple_sources::*;

#[cfg(feature = "gcp-base")]
mod prost_chrono;