tsafe-aws 1.2.0

AWS Secrets Manager and SSM HTTP client for tsafe — pull/push secrets from AWS to the local encrypted vault
Documentation

tsafe-aws

AWS Secrets Manager integration for tsafe.

What this does

Synchronous HTTP client for pulling secrets from AWS Secrets Manager and SSM Parameter Store into the local tsafe vault, with explicit push helpers for operator-approved write-back. The local vault remains the default working source of truth; no secret data is written back to AWS unless a tsafe aws-push or tsafe ssm-push workflow is invoked.

Used by the gated tsafe aws-pull, tsafe aws-push, tsafe ssm-pull, and tsafe ssm-push command surfaces.

Direct use

Most users should install the CLI:

cargo install tsafe-cli

This crate is published separately for consumers who want to call the AWS Secrets Manager API from Rust without pulling in the full CLI surface.

[dependencies]
tsafe-aws = "1"

Auth

Credentials are resolved in this order:

  1. Static env varsAWS_ACCESS_KEY_ID + AWS_SECRET_ACCESS_KEY (optionally AWS_SESSION_TOKEN for temporary credentials).
  2. ECS task roleAWS_CONTAINER_CREDENTIALS_RELATIVE_URI endpoint.
  3. IMDSv2 — EC2 instance profile via the metadata service.

The region is always required:

Variable Required Description
AWS_DEFAULT_REGION or AWS_REGION yes AWS region, e.g. us-east-1
AWS_ACCESS_KEY_ID static IAM access key ID
AWS_SECRET_ACCESS_KEY static IAM secret access key
AWS_SESSION_TOKEN no Session token for temporary credentials
AWS_CONTAINER_CREDENTIALS_RELATIVE_URI no ECS task role credentials path

Key normalisation

Secret names such as myapp/db-password are normalised to MYAPP_DB_PASSWORD (slashes and hyphens replaced with underscores, uppercased) so they are immediately usable as environment variable names.

Example

use tsafe_aws::{AwsConfig, AwsCredentials, pull_secrets};

fn main() -> Result<(), Box<dyn std::error::Error>> {
    let cfg = AwsConfig::from_env()?;
    let secrets = pull_secrets(&cfg, &AwsCredentials::from_env_or_imds, None)?;
    for (key, value) in &secrets {
        println!("{key}=<{} bytes>", value.len());
    }
    Ok(())
}

To pull only secrets whose names begin with a given prefix (uses the ListSecrets Filters API server-side):

let secrets = pull_secrets(&cfg, &AwsCredentials::from_env_or_imds, Some("myapp/"))?;

SSM Parameter Store parameters are available via pull_ssm_parameters in the ssm module. Credentials and retry semantics are identical to the Secrets Manager client.

Request signing

All requests are signed with AWS Signature Version 4 (SigV4). The signing implementation lives in the sigv4 module and covers the secretsmanager and ssm service namespaces. No AWS SDK dependency is required.

Retry behaviour

The HTTP client retries on 429 (throttled) responses with exponential backoff, honouring the Retry-After header when present.

License

Same as the tsafe workspace — see the repository root.