Crate secret_vault

Expand description

§Secret Vault for Rust

Library provides the support for the secrets coming to your application from the following sources::

Google Cloud Secret Manager
Amazon Secrets Manager
Environment variables
Files source (mostly designed to read K8S secrets mounted as files)
Temporarily available secret generator generated by cryptographic pseudo-random number generator

§Features

Reading/caching registered secrets and their metadata in memory from defined sources;
Extensible and strongly typed API to be able to implement any kind of sources;
Memory encryption using AEAD cryptography (optional);
Memory encryption using Google/AWS KMS envelope encryption (https://cloud.google.com/kms/docs/envelope-encryption) (optional);
Automatic refresh secrets from the sources support (optional);
Multi-sources support;
Snapshots for performance-critical secrets;


    // Describing secrets and marking them non-required
   // since this is only example and they don't exist in your project
   let secret_ref1 = SecretVaultRef::new("test-secret-xRnpry".into())
       .with_required(false)
       .with_secret_version("AWSCURRENT".into());
   let secret_ref2 = SecretVaultRef::new("another-secret-222222".into()).with_required(false);

   // Building the vault
   let vault = SecretVaultBuilder::with_source(
       aws::AwsSecretManagerSource::new(&config_env_var("ACCOUNT_ID")?).await?,
   )
   .with_encryption(ring_encryption::SecretVaultRingAeadEncryption::new()?)
   .with_secret_refs(vec![&secret_ref1, &secret_ref2])
   .build()?;

   // Load secrets from source
   vault.refresh().await?;

   // Reading the secret
   let secret_value: Option<Secret> = vault.get_secret_by_ref(&secret_ref1).await?;

   // Or
   let secret_value: Secret = vault.require_secret_by_ref(&secret_ref1).await?;

   // Using the Viewer API to share only methods able to read secrets
   let vault_viewer = vault.viewer();
   vault_viewer.get_secret_by_ref(&secret_ref2).await?;