vaultrs/lib.rs
1#![cfg_attr(docsrs, feature(doc_cfg))]
2
3//! # vaultrs
4//! An asynchronous Rust client library for the [Hashicorp Vault] API.
5//!
6//! ## Usages
7//!
8//! ### AWS
9//!
10//! The library currently supports all operations available for the
11//! AWS Secret Engine.
12//!
13//! See [aws tests] for more examples.
14//!
15//! ```no_run
16//! use vaultrs::sys::mount;
17//! use vaultrs::aws;
18//! use vaultrs::api::aws::requests::{SetConfigurationRequest, CreateUpdateRoleRequest, GenerateCredentialsRequest};
19//!
20//! # #[tokio::main]
21//! # async fn main() -> Result<(), Box<dyn std::error::Error>> {
22//! # use vaultrs::client::{VaultClientSettingsBuilder, VaultClient};
23//! # let client = VaultClient::new(
24//! # VaultClientSettingsBuilder::default()
25//! # .address("https://127.0.0.1:8200")
26//! # .token("TOKEN")
27//! # .build()
28//! # .unwrap()
29//! # ).unwrap();
30//!
31//! // Mount AWS SE
32//! mount::enable(&client, "aws_test", "aws", None).await?;
33//!
34//! // Configure AWS SE
35//! aws::config::set(&client, "aws_test", "access_key", "secret_key", Some(SetConfigurationRequest::builder()
36//! .max_retries(3)
37//! .region("eu-central-1")
38//! )).await?;
39//!
40//! // Create HVault role
41//! aws::roles::create_update(&client, "aws_test", "my_role", "assumed_role", Some(CreateUpdateRoleRequest::builder()
42//! .role_arns( vec!["arn:aws:iam::123456789012:role/test_role".to_string()] )
43//! )).await?;
44//!
45//! // Generate credentials
46//! let res = aws::roles::credentials(&client, "aws_test", "my_role", Some(GenerateCredentialsRequest::builder()
47//! .ttl("3h")
48//! )).await?;
49//!
50//! let creds = res;
51//! // creds.access_key
52//! // creds.secret_key
53//! // creds.security_token
54//! # Ok(())
55//! # }
56//! ```
57//!
58//! ### Key Value v2
59//!
60//! The library currently supports all operations available for version 2 of the
61//! key/value store.
62//!
63//! ```no_run
64//! use serde::{Deserialize, Serialize};
65//! use vaultrs::kv2;
66//!
67//! // Create and read secrets
68//! #[derive(Debug, Deserialize, Serialize)]
69//! struct MySecret {
70//! key: String,
71//! password: String,
72//! }
73//!
74//! # #[tokio::main]
75//! # async fn main() -> Result<(), Box<dyn std::error::Error>> {
76//! # use vaultrs::client::{VaultClientSettingsBuilder, VaultClient};
77//! # let client = VaultClient::new(
78//! # VaultClientSettingsBuilder::default()
79//! # .address("https://127.0.0.1:8200")
80//! # .token("TOKEN")
81//! # .build()
82//! # .unwrap()
83//! # ).unwrap();
84//!
85//! let secret = MySecret {
86//! key: "super".to_string(),
87//! password: "secret".to_string(),
88//! };
89//! kv2::set(
90//! &client,
91//! "secret",
92//! "mysecret",
93//! &secret,
94//! ).await;
95//!
96//! let secret: MySecret = kv2::read(&client, "secret", "mysecret").await.unwrap();
97//! println!("{}", secret.password); // "secret"
98//! # Ok(())
99//! # }
100//! ```
101//!
102//! ### Key Value v1
103//!
104//! The library currently supports all operations available for version 1 of the
105//! key/value store.
106//!
107//! ```no_run
108//! use vaultrs::kv1;
109//! use std::collections::HashMap;
110//!
111//! # #[tokio::main]
112//! # async fn main() -> Result<(), Box<dyn std::error::Error>> {
113//! # use vaultrs::client::{VaultClientSettingsBuilder, VaultClient};
114//! # let client = VaultClient::new(
115//! # VaultClientSettingsBuilder::default()
116//! # .address("https://127.0.0.1:8200")
117//! # .token("TOKEN")
118//! # .build()
119//! # .unwrap()
120//! # ).unwrap();
121//!
122//! let my_secrets = HashMap::from([
123//! ("key1", "value1"),
124//! ("key2", "value2")
125//! ]);
126//!
127//! kv1::set(&client, "secret", "my/secrets", &my_secrets).await.unwrap();
128//!
129//! let read_secrets: HashMap<String, String> = kv1::get(&client, "secret", "my/secrets").await.unwrap();
130//!
131//! println!("{:}", read_secrets.get("key1").unwrap()); // value1
132//!
133//! let list_secret = kv1::list(&client, "secret", "my").await.unwrap();
134//!
135//! println!("{:?}", list_secret.data.keys); // [ "secrets" ]
136//!
137//! kv1::delete(&client, "secret", "my/secrets").await.unwrap();
138//! # Ok(())
139//! # }
140//! ```
141//!
142//! ### PKI
143//!
144//! The library currently supports all operations available for the PKI secrets
145//! engine.
146//!
147//! ```no_run
148//! use vaultrs::api::pki::requests::GenerateCertificateRequest;
149//! use vaultrs::pki::cert;
150//!
151//! # #[tokio::main]
152//! # async fn main() -> Result<(), Box<dyn std::error::Error>> {
153//! # use vaultrs::client::{VaultClientSettingsBuilder, VaultClient};
154//! # let client = VaultClient::new(
155//! # VaultClientSettingsBuilder::default()
156//! # .address("https://127.0.0.1:8200")
157//! # .token("TOKEN")
158//! # .build()
159//! # .unwrap()
160//! # ).unwrap();
161//!
162//! // Generate a certificate using the PKI backend
163//! let cert = cert::generate(
164//! &client,
165//! "pki",
166//! "my_role",
167//! Some(GenerateCertificateRequest::builder().common_name("test.com")),
168//! ).await?;
169//! println!("{}", cert.certificate); // "{PEM encoded certificate}"
170//! # Ok(())
171//! # }
172//! ```
173//!
174//! ### Transit
175//!
176//! The library supports most operations for the
177//! [Transit](https://developer.hashicorp.com/vault/api-docs/secret/transit) secrets engine,
178//! other than importing keys or `batch_input` parameters.
179//!
180//! ```no_run
181//! use vaultrs::api::transit::requests::CreateKeyRequest;
182//! use vaultrs::api::transit::KeyType;
183//! use vaultrs::transit::key;
184//!
185//! # #[tokio::main]
186//! # async fn main() -> Result<(), Box<dyn std::error::Error>> {
187//! # use vaultrs::client::{VaultClientSettingsBuilder, VaultClient};
188//! # let client = VaultClient::new(
189//! # VaultClientSettingsBuilder::default()
190//! # .address("https://127.0.0.1:8200")
191//! # .token("TOKEN")
192//! # .build()
193//! # .unwrap()
194//! # ).unwrap();
195//!
196//! // Create an encryption key using the /transit backend
197//! key::create(
198//! &client,
199//! "transit",
200//! "my-transit-key",
201//! Some(CreateKeyRequest::builder()
202//! .derived(true)
203//! .key_type(KeyType::Aes256Gcm96)
204//! .auto_rotate_period("30d")),
205//! ).await.unwrap();
206//! # Ok(())
207//! # }
208//! ```
209//!
210//! ### Wrapping
211//!
212//! All requests implement the ability to be
213//! [wrapped](https://developer.hashicorp.com/vault/docs/concepts/response-wrapping). These
214//! can be passed in your application internally before being unwrapped.
215//!
216//! ```no_run
217//! use vaultrs::api::ResponseWrapper;
218//! use vaultrs::api::sys::requests::ListMountsRequest;
219//!
220//! # #[tokio::main]
221//! # async fn main() -> Result<(), Box<dyn std::error::Error>> {
222//! # use vaultrs::client::{VaultClientSettingsBuilder, VaultClient};
223//! # let client = VaultClient::new(
224//! # VaultClientSettingsBuilder::default()
225//! # .address("https://127.0.0.1:8200")
226//! # .token("TOKEN")
227//! # .build()
228//! # .unwrap()
229//! # ).unwrap();
230//!
231//!
232//! let endpoint = ListMountsRequest::builder().build().unwrap();
233//! let wrap_resp = endpoint.wrap(&client).await; // Wrapped response
234//! assert!(wrap_resp.is_ok());
235//!
236//! let wrap_resp = wrap_resp.unwrap(); // Unwrap Result<>
237//! let info = wrap_resp.lookup(&client).await; // Check status of this wrapped response
238//! assert!(info.is_ok());
239//!
240//! let unwrap_resp = wrap_resp.unwrap(&client).await; // Unwrap the response
241//! assert!(unwrap_resp.is_ok());
242//!
243//! let info = wrap_resp.lookup(&client).await; // Error: response already unwrapped
244//! assert!(info.is_err());
245//! # Ok(())
246//! # }
247//! ```
248//!
249//!
250//! [Hashicorp Vault]: https://developer.hashicorp.com/vault
251//! [aws tests]: https://github.com/jmgilman/vaultrs/blob/master/vaultrs-tests/tests/api_tests/aws.rs
252//!
253
254#[macro_use]
255extern crate derive_builder;
256#[macro_use]
257extern crate tracing;
258
259pub mod api;
260pub mod auth;
261pub mod aws;
262pub mod client;
263pub mod database;
264pub mod error;
265pub mod identity;
266pub mod kv1;
267pub mod kv2;
268pub mod pki;
269pub mod ssh;
270pub mod sys;
271pub mod token;
272pub mod transit;