interface store {
// An error type that encapsulates the different errors that can occur fetching secrets
variant secrets-error {
// This indicates an error from an "upstream" secrets source.
// As this could be almost _anything_ (such as Vault, Kubernetes Secrets, KeyValue buckets, etc),
// the error message is a string.
upstream(string),
// This indicates an error from an I/O operation.
// As this could be almost _anything_ (such as a file read, network connection, etc),
// the error message is a string.
// Depending on how this ends up being consumed,
// we may consider moving this to use the `wasi:io/error` type instead.
// For simplicity right now in supporting multiple implementations, it is being left as a string.
io(string),
// This indicates that the secret was not found. Generally "not found" errors will
// be handled by the upstream secrets backend, but there are cases where the host
// may need to return this error.
not-found,
}
// A secret value can be either a string or a byte array, which lets you
// store binary data as a secret.
variant secret-value {
// A string value
%string(string),
// A byte array value
bytes(list<u8>),
}
// A secret is a resource that can only be borrowed. This allows you to
// pass around handles to secrets and not reveal the values until a
// component needs them.
// You need to use the reveal interface to get the value.
resource secret;
// Gets a single opaque secrets value set at the given key if it exists
get: func(
// A string key to fetch
key: string,
) -> result<secret, secrets-error>;
}
interface reveal {
use store.{secret, secret-value};
// Reveals the value of a secret to the caller.
// This lets you easily audit your code to discover where secrets are being used.
reveal: func(s: borrow<secret>) -> secret-value;
// TODO: add an error here around not being allowed to reveal?
}