tsafe_aws/lib.rs
1//! Optional AWS Secrets Manager integration for tsafe.
2//!
3//! Pulls secrets from AWS Secrets Manager and imports them into the local
4//! tsafe vault. The local vault remains the single source of truth — Secrets
5//! Manager is purely a **read** source. No secret data is ever written back
6//! to AWS.
7//!
8//! ## Configuration (environment variables)
9//!
10//! | Variable | Required | Description |
11//! |-----------------------------------------|----------|------------------------------------------|
12//! | `AWS_DEFAULT_REGION` or `AWS_REGION` | yes | AWS region, e.g. `us-east-1` |
13//! | `AWS_ACCESS_KEY_ID` | SP auth | IAM access key ID |
14//! | `AWS_SECRET_ACCESS_KEY` | SP auth | IAM secret access key |
15//! | `AWS_SESSION_TOKEN` | no | Session token for temporary credentials |
16//! | `AWS_CONTAINER_CREDENTIALS_RELATIVE_URI`| no | ECS task role credentials endpoint |
17//!
18//! If `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` are set, they are used
19//! directly. Otherwise the ECS task role endpoint is tried, then IMDSv2
20//! (works on EC2 instances with an IAM instance profile).
21//!
22//! ## Key normalisation
23//! Secret names such as `my-app/db-password` are normalised to
24//! `MY_APP_DB_PASSWORD` (slashes and hyphens → underscores, uppercased) so
25//! they are immediately usable as environment variables.
26
27pub mod config;
28pub mod error;
29pub mod secretsmanager;
30pub mod sigv4;
31pub mod ssm;
32
33pub use config::{AwsConfig, AwsCredentials};
34pub use error::AwsError;
35pub use secretsmanager::pull_secrets;
36pub use ssm::pull_ssm_parameters;