Crate secret_rs

Crate secret_rs 

Source
Expand description

§secret_rs

A library that supports injecting file system’s secrets or environment variables secrets into a JSON configuration.

The goal of secret_rs is twofold:

  • improve the developer experience by centralizing all the application’s configuration under the same location, that is allowing access of both secret and unsecreted values within the same data structure
  • simplify secret management in the context of cloud-native applications, such as K8s containers

§Overview

secret_rs library enables applications to load a JSON configuration file that may contain references to external secret values without writing them in plaintext.

This is achieved by transparently resolving the external secrets during the deserialization process. Secrets can be read from:

  • a plaintext value within the configuration, so that the same interface can be employed also for non-sensitive values
  • an environment variable
  • the content of a file
  • the content of a key within a file (such a .ini or .json)

In addition, when using an environment variable or a file, it is possible to optionally specify in which encoding the value has been stored. In this manner, the library can load external secrets saved in a format different from plaintext. At the moment only base64 is supported.

§Configuration Examples

In this section are listed all the possible ways a secret can be written within a JSON configuration file:

  1. as a plain string
    {
   "secret": "not so secret"
}
  2. as a reference to an environment variable
    {
   "secret": {
      "type": "env",
      "key": "MY_SECRET_ENV_VAR_NAME"
   }
}
  3. as a reference to a file (load all its content as secret)
    {
   "secret": {
      "type": "file",
      "path": "/path/to/file"
   }
}
  4. as a reference to a key in a JSON or INI file (load only the key’s value as secret)
    {
   "secret": {
      "type": "file",
      "path": "/path/to/file",
      "key": "MY_SECRET"
   }
}

The application is then able to deserialize all of them using the Secret enum.

use secret_rs::Secret;
use serde::{Deserialize, Serialize};

#[derive(Deserialize, Serialize)]
pub struct AppConfig {
    /// my external sensitive value
    pub secret: Secret,
}

The value of secret field then can be read using its read() method, which allows extracting the actual value contained within the deserialized enum.

§Watch

The library also supports watching the secret values for changes by listening to file system events. This is useful when the application needs to reload values when they are updated by an external entity.

From configuration it can either be a path:

{
   "secret": "/path/to/secret/file"
}

or the same structure as the file-based secret

{
   "secret": {
      "path": "/path/to/secret/file",
      "key": "MY_SECRET"
      "encoding": "base64"
   }
}

and must deserialize into [SecretWatcher] struct, then a method read() peeks the current value of the secret or a stream can be spawned.

§Contributing

More details on how to contribute to this project can be found in CONTRIBUTING.md file.

Enums§

Encoding
Define which type of encoding the library supports when it needs to read the actual secret value.
Secret
A secret container that abstracts how it is written within the configuration file.

Type Aliases§

Result