tsafe-cli 1.0.22

tsafe CLI — local secret and credential manager (replaces .env files)
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

//! Optional GCP Secret Manager integration for tsafe.
//!
//! Pulls secrets from GCP Secret Manager and imports them into the local
//! tsafe vault, and pushes local vault secrets to GCP Secret Manager.
//! The local vault is the authoritative source of truth for `gcp-push`
//! (ADR-030 upsert semantics; no plaintext in audit or diff output).
//!
//! ## Configuration (environment variables)
//!
//! | Variable                          | Required | Description                                    |
//! |-----------------------------------|----------|------------------------------------------------|
//! | `GOOGLE_CLOUD_PROJECT`            | yes*     | GCP project ID                                 |
//! | `GCLOUD_PROJECT`                  | yes*     | Alternate project ID env var                   |
//! | `GOOGLE_OAUTH_TOKEN`              | auth†    | Pre-obtained OAuth2 token (`gcloud auth print-access-token`) |
//! | `GOOGLE_APPLICATION_CREDENTIALS`  | auth†    | Path to ADC JSON file (authorized_user)        |
//!
//! \* Project ID falls back to the GCE metadata server if neither env var is set.
//! † Authentication tries, in order: `GOOGLE_OAUTH_TOKEN` → GCE metadata server →
//!   ADC file (`$GOOGLE_APPLICATION_CREDENTIALS` or
//!   `~/.config/gcloud/application_default_credentials.json`).
//!
//! ## Key normalisation
//! Secret names such as `my-db-password` are normalised to `MY_DB_PASSWORD`
//! (hyphens and dots → underscores, uppercased) so they are immediately
//! usable as environment variables.

pub mod config;
pub mod error;
pub mod secretmanager;

pub use config::{acquire_token, GcpConfig, GcpToken};
pub use error::GcpError;
pub use secretmanager::{pull_secrets, push_secret, PushOutcome};