tsafe_gcp/lib.rs
1//! Optional GCP Secret Manager integration for tsafe.
2//!
3//! Pulls secrets from GCP Secret Manager and imports them into the local
4//! tsafe vault. The local vault remains the single source of truth — Secret
5//! Manager is purely a **read** source. No secret data is ever written back
6//! to GCP.
7//!
8//! ## Configuration (environment variables)
9//!
10//! | Variable | Required | Description |
11//! |-----------------------------------|----------|------------------------------------------------|
12//! | `GOOGLE_CLOUD_PROJECT` | yes* | GCP project ID |
13//! | `GCLOUD_PROJECT` | yes* | Alternate project ID env var |
14//! | `GOOGLE_OAUTH_TOKEN` | auth† | Pre-obtained OAuth2 token (`gcloud auth print-access-token`) |
15//! | `GOOGLE_APPLICATION_CREDENTIALS` | auth† | Path to ADC JSON file (authorized_user) |
16//!
17//! \* Project ID falls back to the GCE metadata server if neither env var is set.
18//! † Authentication tries, in order: `GOOGLE_OAUTH_TOKEN` → GCE metadata server →
19//! ADC file (`$GOOGLE_APPLICATION_CREDENTIALS` or
20//! `~/.config/gcloud/application_default_credentials.json`).
21//!
22//! ## Key normalisation
23//! Secret names such as `my-db-password` are normalised to `MY_DB_PASSWORD`
24//! (hyphens and dots → underscores, uppercased) so they are immediately
25//! usable as environment variables.
26
27pub mod config;
28pub mod error;
29pub mod secretmanager;
30
31pub use config::{acquire_token, GcpConfig, GcpToken};
32pub use error::GcpError;
33pub use secretmanager::pull_secrets;