Expand description
Optional AWS Secrets Manager integration for tsafe.
Pulls secrets from AWS Secrets Manager and imports them into the local tsafe vault. The local vault remains the single source of truth — Secrets Manager is purely a read source. No secret data is ever written back to AWS.
§Configuration (environment variables)
| Variable | Required | Description |
|---|---|---|
AWS_DEFAULT_REGION or AWS_REGION | yes | AWS region, e.g. us-east-1 |
AWS_ACCESS_KEY_ID | SP auth | IAM access key ID |
AWS_SECRET_ACCESS_KEY | SP auth | IAM secret access key |
AWS_SESSION_TOKEN | no | Session token for temporary credentials |
AWS_CONTAINER_CREDENTIALS_RELATIVE_URI | no | ECS task role credentials endpoint |
If AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY are set, they are used
directly. Otherwise the ECS task role endpoint is tried, then IMDSv2
(works on EC2 instances with an IAM instance profile).
§Key normalisation
Secret names such as my-app/db-password are normalised to
MY_APP_DB_PASSWORD (slashes and hyphens → underscores, uppercased) so
they are immediately usable as environment variables.
Re-exports§
pub use config::AwsConfig;pub use config::AwsCredentials;pub use error::AwsError;pub use secretsmanager::pull_secrets;pub use ssm::pull_ssm_parameters;
Modules§
- config
- AWS runtime config and credential loading.
- error
- secretsmanager
- AWS Secrets Manager HTTP client.
- sigv4
- AWS Signature Version 4 signing for AWS JSON-service HTTP requests.
- ssm
- AWS SSM Parameter Store HTTP client.