1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
//! Optional AWS Secrets Manager integration for tsafe.
//!
//! Pulls secrets from AWS Secrets Manager and imports them into the local
//! tsafe vault. The local vault remains the single source of truth — Secrets
//! Manager is purely a **read** source. No secret data is ever written back
//! to AWS.
//!
//! ## Configuration (environment variables)
//!
//! | Variable | Required | Description |
//! |-----------------------------------------|----------|------------------------------------------|
//! | `AWS_DEFAULT_REGION` or `AWS_REGION` | yes | AWS region, e.g. `us-east-1` |
//! | `AWS_ACCESS_KEY_ID` | SP auth | IAM access key ID |
//! | `AWS_SECRET_ACCESS_KEY` | SP auth | IAM secret access key |
//! | `AWS_SESSION_TOKEN` | no | Session token for temporary credentials |
//! | `AWS_CONTAINER_CREDENTIALS_RELATIVE_URI`| no | ECS task role credentials endpoint |
//!
//! If `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` are set, they are used
//! directly. Otherwise the ECS task role endpoint is tried, then IMDSv2
//! (works on EC2 instances with an IAM instance profile).
//!
//! ## Key normalisation
//! Secret names such as `my-app/db-password` are normalised to
//! `MY_APP_DB_PASSWORD` (slashes and hyphens → underscores, uppercased) so
//! they are immediately usable as environment variables.
pub use ;
pub use AwsError;
pub use PushOutcome as SmPushOutcome;
pub use ;
pub use PushOutcome as SsmPushOutcome;
pub use ;