llm_orchestrator_secrets/
lib.rs

1// Copyright (c) 2025 LLM DevOps
2// SPDX-License-Identifier: MIT OR Apache-2.0
3
4//! Secret management for LLM Orchestrator.
5//!
6//! This crate provides secure secret storage and retrieval with support for:
7//! - HashiCorp Vault (KV v2)
8//! - AWS Secrets Manager
9//! - Environment variables (fallback)
10//! - In-memory caching with TTL
11//!
12//! # Features
13//!
14//! - **Multiple backends**: Vault, AWS Secrets Manager, or environment variables
15//! - **Automatic caching**: Optional TTL-based caching to reduce backend calls
16//! - **Secret rotation**: Support for rotating secrets without downtime
17//! - **Version management**: Access historical versions of secrets (where supported)
18//! - **Security**: Zero secrets in logs, secure token handling
19//!
20//! # Examples
21//!
22//! ## Using Environment Variables
23//!
24//! ```
25//! use llm_orchestrator_secrets::{EnvSecretStore, SecretStore};
26//!
27//! # async fn example() -> Result<(), Box<dyn std::error::Error>> {
28//! let store = EnvSecretStore::new();
29//! let secret = store.get_secret("openai/api_key").await?;
30//! // Reads from environment variable: OPENAI_API_KEY
31//! # Ok(())
32//! # }
33//! ```
34//!
35//! ## Using HashiCorp Vault
36//!
37//! ```no_run
38//! use llm_orchestrator_secrets::{VaultSecretStore, SecretStore};
39//!
40//! # async fn example() -> Result<(), Box<dyn std::error::Error>> {
41//! let store = VaultSecretStore::new(
42//!     "https://vault.example.com:8200".to_string(),
43//!     "hvs.CAESIJ...".to_string(),
44//! )?;
45//!
46//! let secret = store.get_secret("database/password").await?;
47//! # Ok(())
48//! # }
49//! ```
50//!
51//! ## Using AWS Secrets Manager
52//!
53//! ```no_run
54//! use llm_orchestrator_secrets::{AwsSecretStore, SecretStore};
55//! use aws_sdk_secretsmanager::config::Region;
56//!
57//! # async fn example() -> Result<(), Box<dyn std::error::Error>> {
58//! let store = AwsSecretStore::new(Region::new("us-east-1")).await?;
59//! let secret = store.get_secret("prod/api/key").await?;
60//! # Ok(())
61//! # }
62//! ```
63//!
64//! ## Using the Builder with Caching
65//!
66//! ```no_run
67//! use llm_orchestrator_secrets::{SecretManagerBuilder, SecretStoreType};
68//! use chrono::Duration;
69//!
70//! # async fn example() -> Result<(), Box<dyn std::error::Error>> {
71//! let store = SecretManagerBuilder::new(SecretStoreType::Environment)
72//!     .with_cache(Duration::minutes(10))
73//!     .build()
74//!     .await?;
75//!
76//! let secret = store.get_secret("api_key").await?;
77//! # Ok(())
78//! # }
79//! ```
80//!
81//! # Security Best Practices
82//!
83//! 1. **Never log secret values**: All implementations avoid logging sensitive data
84//! 2. **Use Vault or AWS in production**: Environment variables are for development only
85//! 3. **Enable caching cautiously**: Balance performance with security requirements
86//! 4. **Rotate secrets regularly**: Use built-in rotation features
87//! 5. **Use least-privilege access**: Limit secret access to what's needed
88//!
89//! # Performance Considerations
90//!
91//! - **Caching**: Reduces backend calls from ~100ms to <1ms for cached secrets
92//! - **TTL**: Default 5 minutes balances freshness with performance
93//! - **Cleanup**: Run `cleanup_expired()` periodically to prevent memory growth
94
95pub mod aws;
96pub mod builder;
97pub mod cache;
98pub mod env;
99pub mod models;
100pub mod traits;
101pub mod vault;
102
103// Re-export main types for convenience
104pub use aws::AwsSecretStore;
105pub use builder::{AwsConfig, SecretManagerBuilder, SecretStoreType, VaultConfig};
106pub use cache::{CacheStats, SecretCache};
107pub use env::EnvSecretStore;
108pub use models::{Secret, SecretMetadata, SecretVersion};
109pub use traits::{Result, SecretError, SecretStore};
110pub use vault::VaultSecretStore;