Expand description
Secure, typed, async Rust SDK for OpenBao.
This crate is intentionally conservative:
- unsafe Rust is forbidden;
- tokens are stored as
secrecy::SecretString; - HTTPS is required by default;
- OpenBao API URLs are assembled with structured URL path segments;
- authentication state is represented in the type system.
The public API covers environment-based client construction, AppRole login, direct token auth, LDAP/RADIUS/Kerberos auth, JWT/OIDC browser-flow helpers, token lifecycle and token-role helpers, Cubbyhole, Identity lifecycle, lookup, and merge helpers, KV v1/v2, Kubernetes secrets, RabbitMQ secrets, Transit lifecycle, batch, single-operation cryptography, import/BYOK, and PKI issue/sign/revoke/tidy helpers, system health/readiness, dev-only bootstrap, mount management, audit devices, exact and prefix lease helpers, password policies, resultant ACL inspection, operator-gated root/recovery token ceremonies, in-flight request diagnostics, plugin catalog operations, SSH, TOTP, and raw JSON calls for advanced users. Selected system endpoints that return non-JSON data, such as Prometheus metrics and capped Raft snapshots, are exposed through typed helpers rather than a public raw-body escape hatch.
AdminBootstrap performs read-compare-write convergence. Run only one
bootstrap plan per OpenBao cluster at a time unless the caller provides an
external lock. KV v2 secret convergence uses OpenBao CAS where available,
but ACL policies, AppRole settings, and other bootstrap operations still
require caller-owned serialization to avoid overwriting concurrent changes.
Secret request payloads are serialized through a zeroizing intermediate
buffer before handoff to reqwest. The HTTP stack still owns a normal body
buffer after that handoff, and TLS, kernel, allocator, and device buffers
can retain transient copies outside this crate’s control. Treat Transit
plaintext and other request-body secret material as process-resident during
the request lifecycle.
With the optional tracing feature, request spans include HTTP method,
status, and a redacted URL path shape. Bodies, tokens, and namespaces are
not logged, but even path shapes can reveal operational activity. Deployments
with strict path-confidentiality requirements should suppress debug-level
openbao.request spans, for example with EnvFilter::new("openbao=info"),
or install a tracing layer that omits the path field.
Re-exports§
pub use duration::RenewalHint;pub use duration::duration_to_bao_string;pub use plugin::PluginMount;pub use policy::AclCapability;pub use policy::AclPolicyBuilder;pub use posture::FipsPosture;pub use posture::FipsPostureFinding;pub use posture::FipsPostureNote;pub use posture::FipsPostureReport;pub use posture::FipsPostureSeverity;pub use timestamp::OptionalTimestampExt;pub use timestamp::TimestampExt;pub use timestamp::parse_optional_rfc3339_timestamp;pub use timestamp::parse_rfc3339_timestamp;pub use reqwest;pub use secrecy;pub use serde_json;pub use time;pub use zeroize;
Modules§
- auth
- Authentication methods.
- bootstrap
- Idempotent administration bootstrap helpers.
- duration
- Helpers for OpenBao duration strings.
- plugin
- Safe building blocks for typed custom OpenBao plugin wrappers.
- policy
- Helpers for building small OpenBao ACL policy documents.
- posture
- Best-effort posture helpers for crate-visible OpenBao configuration.
- prelude
- Common imports for application code using the OpenBao SDK.
- secrets
- Secret engine handles.
- sys
- System backend helpers.
- timestamp
- Optional RFC3339 timestamp parsing helpers.
- tls
- TLS configuration and types
Structs§
- Authenticated
- Marker state for clients that carry an authentication token.
- Bounded
String List - Bounded string list for custom plugin responses.
- Certificate
- Represents a server X509 certificate.
- Certificate
Revocation List - Represents a X509 certificate revocation list.
- Client
- Typed OpenBao HTTP client.
- Client
Builder - Builder for
Client. - Empty
- Empty JSON payload used for endpoints that do not require a body.
- Identity
- Represents a private key and X509 cert as a client certificate.
- List
Page Options - Shared pagination options for non-secret OpenBao string-list endpoints.
- Method
- The Request Method (VERB)
- Offset
Date Time - A
PrimitiveDateTimewith aUtcOffset. - Open
BaoConfig - Validated OpenBao client configuration.
- Response
Envelope - Standard OpenBao response envelope for endpoints that return
data. - Retry
Policy - Explicit retry policy for caller-approved idempotent requests.
- Status
Code - An HTTP status code (
status-codein RFC 9110 et al.). - Unauthenticated
- Marker state for clients that do not yet have an authentication token.
- Zeroizing
Zeroizingis a a wrapper for anyZ: Zeroizetype which implements aDrophandler which zeroizes dropped values.
Enums§
- Error
- Errors returned by OpenBao client operations.
- Header
Mode - Authentication header strategy.
- Http
Policy - Policy for non-TLS HTTP base URLs.
- Json
Value - Represents any valid JSON value.
- Retryable
Method - HTTP methods that are safe to use with
Client::request_json_with_retry. - Root
Certificate Mode - TLS trust root handling.
Constants§
- MAX_
RESPONSE_ STRINGS - Maximum number of strings accepted by the crate’s bounded list helpers.
Traits§
- Expose
Secret - Expose a reference to an inner secret
- List
Entries - Shared accessor trait for OpenBao list responses.
- Zeroize
- Trait for securely erasing values from memory.
Functions§
- deserialize_
bounded_ string_ vec - Deserializes a bounded vector of strings.
- validate_
endpoint_ path - Validates an OpenBao endpoint-style path and returns normalized segments.
- validate_
mount_ path - Validates an OpenBao mount-style path and returns normalized path segments.
Type Aliases§
- OpenBao
- Backwards-friendly public name for the OpenBao client.
- Result
- Result alias used by this crate.
- Secret
String - Secret string type.
- Shared
Client - Authenticated client wrapped in
std::sync::Arcfor sharing across tasks.