Crate secret_vault
source ·Expand description
§Secret Vault for Rust
Library provides the support for the secrets coming to your application from the following sources::
- Google Cloud Secret Manager
- Amazon Secrets Manager
- Environment variables
- Files source (mostly designed to read K8S secrets mounted as files)
- Temporarily available secret generator generated by cryptographic pseudo-random number generator
§Features
- Reading/caching registered secrets and their metadata in memory from defined sources;
- Extensible and strongly typed API to be able to implement any kind of sources;
- Memory encryption using AEAD cryptography (optional);
- Memory encryption using Google/AWS KMS envelope encryption (https://cloud.google.com/kms/docs/envelope-encryption) (optional);
- Automatic refresh secrets from the sources support (optional);
- Multi-sources support;
- Snapshots for performance-critical secrets;
ⓘ
// Describing secrets and marking them non-required
// since this is only example and they don't exist in your project
let secret_ref1 = SecretVaultRef::new("test-secret-xRnpry".into())
.with_required(false)
.with_secret_version("AWSCURRENT".into());
let secret_ref2 = SecretVaultRef::new("another-secret-222222".into()).with_required(false);
// Building the vault
let vault = SecretVaultBuilder::with_source(
aws::AwsSecretManagerSource::new(&config_env_var("ACCOUNT_ID")?).await?,
)
.with_encryption(ring_encryption::SecretVaultRingAeadEncryption::new()?)
.with_secret_refs(vec![&secret_ref1, &secret_ref2])
.build()?;
// Load secrets from source
vault.refresh().await?;
// Reading the secret
let secret_value: Option<Secret> = vault.get_secret_by_ref(&secret_ref1).await?;
// Or
let secret_value: Secret = vault.require_secret_by_ref(&secret_ref1).await?;
// Using the Viewer API to share only methods able to read secrets
let vault_viewer = vault.viewer();
vault_viewer.get_secret_by_ref(&secret_ref2).await?;§Complete examples, more detail docs and security considerations and benchmarks:
Available on github