Crate hasp_backend_aws_sm 

aws-sm:// backend for hasp.

Grammar: aws-sm://<region>/<secret-name>?version-stage=<stage>&version-id=<id>&field=<path>

• <region> — AWS region (host). Must be non-empty.
• <secret-name> — Secret name or ARN (path). Leading / is stripped.
• ?version-stage — Optional version stage (e.g. AWSCURRENT, AWSPREVIOUS). Mutually exclusive with version-id.
• ?version-id — Optional version UUID. Mutually exclusive with version-stage.
• ?field — Optional dotted JSON path. When set, the stored secret value is parsed as JSON and the named scalar is returned (see hasp_core::extract_field). Non-JSON payloads fail with InvalidUrl.

Supported operations: get, put, list, delete, exists.

Authentication is ambient only: AWS_ACCESS_KEY_ID + AWS_SECRET_ACCESS_KEY, AWS_PROFILE, IAM role via IMDS/ECS/EKS, or any other source supported by the AWS default credential chain. No auth-bootstrap flows or credential refresh logic lives in this crate.

AWS Secrets Manager can store text or binary values. Only text secrets are supported by this backend; binary secrets return a permanent backend error because the hasp Backend contract is text-oriented.

Region is required in the URL so the same secret name can be addressed across partitions, and so the URL is self-contained (no ambient region dependency).

Structs

AwsSmBackend

AWS Secrets Manager SDK backend.

AwsSmUrl

URL shape for aws-sm:// addresses.