secret_vault/lib.rs
1//! # Secret Vault for Rust
2//!
3//! Library provides the support for the secrets coming to your application from the following sources::
4//!
5//! - Google Cloud Secret Manager
6//! - Amazon Secrets Manager
7//! - Environment variables
8//! - Files source (mostly designed to read K8S secrets mounted as files)
9//! - Temporarily available secret generator generated by cryptographic pseudo-random number generator
10//!
11//! ## Features
12//! - Reading/caching registered secrets and their metadata in memory from defined sources;
13//! - Extensible and strongly typed API to be able to implement any kind of sources;
14//! - Memory encryption using AEAD cryptography (optional);
15//! - Memory encryption using Google/AWS KMS envelope encryption (https://cloud.google.com/kms/docs/envelope-encryption) (optional);
16//! - Automatic refresh secrets from the sources support (optional);
17//! - Multi-sources support;
18//! - Snapshots for performance-critical secrets;
19//!
20//! ```rust,ignore
21//!
22//! // Describing secrets and marking them non-required
23//! // since this is only example and they don't exist in your project
24//! let secret_ref1 = SecretVaultRef::new("test-secret-xRnpry".into())
25//! .with_required(false)
26//! .with_secret_version("AWSCURRENT".into());
27//! let secret_ref2 = SecretVaultRef::new("another-secret-222222".into()).with_required(false);
28//!
29//! // Building the vault
30//! let vault = SecretVaultBuilder::with_source(
31//! aws::AwsSecretManagerSource::new(&config_env_var("ACCOUNT_ID")?).await?,
32//! )
33//! .with_encryption(ring_encryption::SecretVaultRingAeadEncryption::new()?)
34//! .with_secret_refs(vec![&secret_ref1, &secret_ref2])
35//! .build()?;
36//!
37//! // Load secrets from source
38//! vault.refresh().await?;
39//!
40//! // Reading the secret
41//! let secret_value: Option<Secret> = vault.get_secret_by_ref(&secret_ref1).await?;
42//!
43//! // Or
44//! let secret_value: Secret = vault.require_secret_by_ref(&secret_ref1).await?;
45//!
46//! // Using the Viewer API to share only methods able to read secrets
47//! let vault_viewer = vault.viewer();
48//! vault_viewer.get_secret_by_ref(&secret_ref2).await?;
49//! ```
50//!
51//! ## Complete examples, more detail docs and security considerations and benchmarks:
52//! Available on [github](https://github.com/abdolence/secret-vault-rs)
53//!
54//! ```
55
56#![allow(unused_parens, clippy::new_without_default, clippy::needless_update)]
57#![forbid(unsafe_code)]
58
59#[cfg(all(
60 feature = "gcp-base",
61 not(feature = "gcp-tls-roots"),
62 not(feature = "gcp-tls-webpki")
63))]
64compile_error!(
65 "You must enable either \"gcp-tls-roots\" or \"gcp-tls-webpki\" when using GCP features"
66);
67
68#[cfg(all(feature = "gcp-tls-roots", feature = "gcp-tls-webpki"))]
69compile_error!("You cannot enable both \"gcp-tls-roots\" and \"gcp-tls-webpki\" at the same time");
70
71mod encryption;
72pub use encryption::*;
73
74pub mod errors;
75mod secrets_source;
76pub use secrets_source::*;
77
78mod simple_sources;
79pub use simple_sources::*;
80
81mod vault_store;
82
83mod common_types;
84pub use common_types::*;
85
86#[cfg(feature = "ring-aead-encryption")]
87pub mod ring_encryption;
88
89#[cfg(feature = "gcp-base")]
90pub mod gcp;
91
92#[cfg(feature = "aws")]
93pub mod aws;
94
95pub type SecretVaultResult<T> = std::result::Result<T, errors::SecretVaultError>;
96
97mod vault;
98pub use vault::*;
99
100mod vault_builder;
101pub use vault_builder::SecretVaultBuilder;
102
103mod vault_viewer;
104pub use vault_viewer::*;
105
106mod snapshot;
107pub use snapshot::*;
108
109mod vault_snapshot;
110pub use vault_snapshot::*;
111
112mod vault_auto_refresher;
113pub use vault_auto_refresher::*;
114
115mod multiple_sources;
116pub use multiple_sources::*;
117
118#[cfg(feature = "gcp-base")]
119mod prost_chrono;