tsafe-gcp 1.2.0

GCP Secret Manager HTTP client for tsafe — pull/push secrets from Google Cloud to the local encrypted vault
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

//! Optional GCP Secret Manager integration for tsafe.
//!
//! Pulls secrets from GCP Secret Manager and imports them into the local
//! tsafe vault.  The local vault remains the single source of truth — Secret
//! Manager is purely a **read** source.  No secret data is ever written back
//! to GCP.
//!
//! ## Configuration (environment variables)
//!
//! | Variable                          | Required | Description                                    |
//! |-----------------------------------|----------|------------------------------------------------|
//! | `GOOGLE_CLOUD_PROJECT`            | yes*     | GCP project ID                                 |
//! | `GCLOUD_PROJECT`                  | yes*     | Alternate project ID env var                   |
//! | `GOOGLE_OAUTH_TOKEN`              | auth†    | Pre-obtained OAuth2 token (`gcloud auth print-access-token`) |
//! | `GOOGLE_APPLICATION_CREDENTIALS`  | auth†    | Path to ADC JSON file (authorized_user)        |
//!
//! \* Project ID falls back to the GCE metadata server if neither env var is set.
//! † Authentication tries, in order: `GOOGLE_OAUTH_TOKEN` → GCE metadata server →
//!   ADC file (`$GOOGLE_APPLICATION_CREDENTIALS` or
//!   `~/.config/gcloud/application_default_credentials.json`).
//!
//! ## Key normalisation
//! Secret names such as `my-db-password` are normalised to `MY_DB_PASSWORD`
//! (hyphens and dots → underscores, uppercased) so they are immediately
//! usable as environment variables.

pub mod config;
pub mod error;
pub mod secretmanager;

pub use config::{acquire_token, GcpConfig, GcpToken};
pub use error::GcpError;
pub use secretmanager::pull_secrets;