tsafe-aws 1.2.0

AWS Secrets Manager and SSM HTTP client for tsafe — pull/push secrets from AWS to the local encrypted vault
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96

# tsafe-aws

AWS Secrets Manager integration for [tsafe](https://crates.io/crates/tsafe-cli).

## What this does

Synchronous HTTP client for pulling secrets from AWS Secrets Manager and SSM
Parameter Store into the local tsafe vault, with explicit push helpers for
operator-approved write-back. The local vault remains the default working
source of truth; no secret data is written back to AWS unless a `tsafe
aws-push` or `tsafe ssm-push` workflow is invoked.

Used by the gated `tsafe aws-pull`, `tsafe aws-push`, `tsafe ssm-pull`, and
`tsafe ssm-push` command surfaces.

## Direct use

Most users should install the CLI:

```
cargo install tsafe-cli
```

This crate is published separately for consumers who want to call the AWS
Secrets Manager API from Rust without pulling in the full CLI surface.

```toml
[dependencies]
tsafe-aws = "1"
```

## Auth

Credentials are resolved in this order:

1. **Static env vars**`AWS_ACCESS_KEY_ID` + `AWS_SECRET_ACCESS_KEY`
   (optionally `AWS_SESSION_TOKEN` for temporary credentials).
2. **ECS task role**`AWS_CONTAINER_CREDENTIALS_RELATIVE_URI` endpoint.
3. **IMDSv2** — EC2 instance profile via the metadata service.

The region is always required:

| Variable                                | Required | Description                              |
|-----------------------------------------|----------|------------------------------------------|
| `AWS_DEFAULT_REGION` or `AWS_REGION`    | yes      | AWS region, e.g. `us-east-1`             |
| `AWS_ACCESS_KEY_ID`                     | static   | IAM access key ID                        |
| `AWS_SECRET_ACCESS_KEY`                 | static   | IAM secret access key                    |
| `AWS_SESSION_TOKEN`                     | no       | Session token for temporary credentials  |
| `AWS_CONTAINER_CREDENTIALS_RELATIVE_URI`| no       | ECS task role credentials path           |

## Key normalisation

Secret names such as `myapp/db-password` are normalised to `MYAPP_DB_PASSWORD`
(slashes and hyphens replaced with underscores, uppercased) so they are
immediately usable as environment variable names.

## Example

```rust
use tsafe_aws::{AwsConfig, AwsCredentials, pull_secrets};

fn main() -> Result<(), Box<dyn std::error::Error>> {
    let cfg = AwsConfig::from_env()?;
    let secrets = pull_secrets(&cfg, &AwsCredentials::from_env_or_imds, None)?;
    for (key, value) in &secrets {
        println!("{key}=<{} bytes>", value.len());
    }
    Ok(())
}
```

To pull only secrets whose names begin with a given prefix (uses the
`ListSecrets` `Filters` API server-side):

```rust
let secrets = pull_secrets(&cfg, &AwsCredentials::from_env_or_imds, Some("myapp/"))?;
```

SSM Parameter Store parameters are available via `pull_ssm_parameters` in the
`ssm` module. Credentials and retry semantics are identical to the Secrets
Manager client.

## Request signing

All requests are signed with AWS Signature Version 4 (SigV4). The signing
implementation lives in the `sigv4` module and covers the `secretsmanager` and
`ssm` service namespaces. No AWS SDK dependency is required.

## Retry behaviour

The HTTP client retries on 429 (throttled) responses with exponential backoff,
honouring the `Retry-After` header when present.

## License

Same as the tsafe workspace — see the repository root.