Crate secret_store

Expand description

§secret_store

A unified, async secret-store interface for multiple cloud providers, inspired by object_store.

All providers implement the same SecretStore trait, so you can swap backends without changing application code.

§Providers

Feature	Provider	Builder
(none)	`memory::InMemory` — for tests	`InMemory::new()` / `InMemory::with_secrets()`
`azure`	Azure Key Vault	`azure::KeyVaultBuilder`
`aws`	AWS Secrets Manager	`aws::AwsSecretsManagerBuilder`
`gcp`	GCP Secret Manager	`gcp::GcpSecretManagerBuilder`
`http`	Generic HTTP / HashiCorp Vault KV	`http::HttpSecretStoreBuilder`

§Quick Start — In-Memory (no cloud credentials needed)

use std::sync::Arc;
use secret_store::{SecretStore, memory::InMemory};

#[tokio::main]
async fn main() -> secret_store::Result<()> {
    let store: Arc<dyn SecretStore> = Arc::new(InMemory::new());

    store.set_secret("db-password", "hunter2").await?;
    let val = store.get_secret("db-password").await?;
    println!("{}", val.expose_secret());   // hunter2

    // List secrets (optionally filtered by prefix)
    let names = store.list_secrets(Some("db-")).await?;
    assert_eq!(names[0].name, "db-password");

    store.delete_secret("db-password").await?;
    Ok(())
}

§Quick Start — Azure Key Vault (`azure` feature)

use secret_store::azure::KeyVaultBuilder;
use secret_store::SecretStore;

#[tokio::main]
async fn main() -> secret_store::Result<()> {
    // Reads AZURE_KEYVAULT_URL + AZURE_TENANT_ID / AZURE_CLIENT_ID /
    // AZURE_CLIENT_SECRET from env, or falls back to the Azure CLI.
    let store = KeyVaultBuilder::from_env().build().await?;
    println!("{store}");   // AzureKeyVault: https://my-vault.vault.azure.net/
    println!("{store:?}"); // vault_url=..., provider=AzureKeyVault
    store.set_secret("api-key", "s3cr3t").await?;
    Ok(())
}

§Quick Start — AWS Secrets Manager (`aws` feature)

use secret_store::aws::AwsSecretsManagerBuilder;
use secret_store::SecretStore;

#[tokio::main]
async fn main() -> secret_store::Result<()> {
    // Reads AWS_DEFAULT_REGION / AWS_REGION from env; credentials come
    // from the standard AWS credential chain (env, ~/.aws, IMDSv2, …).
    let store = AwsSecretsManagerBuilder::from_env().build().await?;
    store.set_secret("db-password", "hunter2").await?;
    Ok(())
}

§Quick Start — GCP Secret Manager (`gcp` feature)

use secret_store::gcp::GcpSecretManagerBuilder;
use secret_store::SecretStore;

#[tokio::main]
async fn main() -> secret_store::Result<()> {
    // Reads GCP_PROJECT_ID from env; authenticates via Application Default
    // Credentials (GOOGLE_APPLICATION_CREDENTIALS, gcloud CLI, Workload Identity).
    let store = GcpSecretManagerBuilder::from_env().build().await?;
    store.set_secret("api-key", "s3cr3t").await?;
    Ok(())
}

§Quick Start — Generic HTTP / HashiCorp Vault (`http` feature)

use secret_store::http::HttpSecretStoreBuilder;
use secret_store::SecretStore;

#[tokio::main]
async fn main() -> secret_store::Result<()> {
    // Reads SECRET_STORE_HTTP_URL and SECRET_STORE_HTTP_TOKEN from env.
    let store = HttpSecretStoreBuilder::from_env().build()?;
    store.set_secret("db-password", "hunter2").await?;
    Ok(())
}

§Display and Debug

Every store implements fmt::Display (minimal, log-friendly) and fmt::Debug (verbose, useful while debugging):

use secret_store::memory::InMemory;

let store = InMemory::new();
println!("{store}");   // InMemory(0 secrets)
println!("{store:?}"); // same — InMemory has no extra internal state

Cloud stores show their identifying info:

Azure — Display: vault URL; Debug: vault URL + provider tag
AWS — Display: region; Debug: region + provider tag
GCP — Display: project ID; Debug: project ID + API endpoint + provider tag
HTTP — Display: base URL; Debug: base URL + namespace + provider tag

§KMS Envelope Encryption

Enable the kms feature to access kms::SecretsManager, a zero-storage encryption layer that wraps data keys with a cloud KMS and encrypts your data locally with AES-256-GCM before storing ciphertext in any SecretStore backend.

Re-exports§

pub use common::Error;
pub use common::Result;
pub use common::SecretMeta;
pub use common::SecretValue;
pub use common::obfuscate_secret;

Modules§

aws: AWS Secrets Manager secret store provider.
azure: Azure Key Vault secret store provider.
common: Shared types, error definitions, and utility functions used across all secret store providers.
gcp: GCP Secret Manager provider — lean implementation using gcp_auth + reqwest.
http: Generic HTTP secret store provider.
kms: KMS envelope-encryption layer.
memory: In-memory secret store — always available, no feature flags required.

Traits§

SecretStore: A unified, async interface for reading and writing named secrets.

Type Aliases§

DynSecretStore: Type alias for a dynamically-dispatched SecretStore.