Skip to main content

Crate vaultrs

Crate vaultrs 

Source
Expand description

§vaultrs

An asynchronous Rust client library for the [Hashicorp Vault] and [OpenBao] API.

§Usages

§AWS

The library currently supports all operations available for the AWS Secret Engine.

Only Vault is tested as for OpenBao its an external plugin.

See [aws tests] for more examples.

use vaultrs::sys::mount;
use vaultrs::aws;
use vaultrs::api::aws::requests::{SetConfigurationRequest, CreateUpdateRoleRequest, GenerateCredentialsRequest};


// Mount AWS SE
mount::enable(&client, "aws_test", "aws", None).await?;

// Configure AWS SE
aws::config::set(&client, "aws_test", "access_key", "secret_key", Some(SetConfigurationRequest::builder()
    .max_retries(3)
    .region("eu-central-1")
)).await?;

// Create HVault role
aws::roles::create_update(&client, "aws_test", "my_role", "assumed_role", Some(CreateUpdateRoleRequest::builder()
        .role_arns( vec!["arn:aws:iam::123456789012:role/test_role".to_string()] )
)).await?;

// Generate credentials
let res = aws::roles::credentials(&client, "aws_test", "my_role", Some(GenerateCredentialsRequest::builder()
    .ttl("3h")
)).await?;

let creds = res;
// creds.access_key
// creds.secret_key
// creds.security_token

§Key Value v2

The library currently supports all operations available for version 2 of the key/value store.

use serde::{Deserialize, Serialize};
use vaultrs::kv2;

// Create and read secrets
#[derive(Debug, Deserialize, Serialize)]
struct MySecret {
    key: String,
    password: String,
}


let secret = MySecret {
    key: "super".to_string(),
    password: "secret".to_string(),
};
kv2::set(
    &client,
    "secret",
    "mysecret",
    &secret,
).await;

let secret: MySecret = kv2::read(&client, "secret", "mysecret").await.unwrap();
println!("{}", secret.password); // "secret"

§Key Value v1

The library currently supports all operations available for version 1 of the key/value store.

use vaultrs::kv1;
use std::collections::HashMap;


let my_secrets = HashMap::from([
    ("key1", "value1"),
    ("key2", "value2")
]);

kv1::set(&client, "secret", "my/secrets", &my_secrets).await.unwrap();

let read_secrets: HashMap<String, String> = kv1::get(&client, "secret", "my/secrets").await.unwrap();

println!("{:}", read_secrets.get("key1").unwrap()); // value1

let list_secret = kv1::list(&client, "secret", "my").await.unwrap();

println!("{:?}", list_secret.data.keys); // [ "secrets" ]

kv1::delete(&client, "secret", "my/secrets").await.unwrap();

§PKI

The library currently supports all operations available for the PKI secrets engine.

use vaultrs::api::pki::requests::GenerateCertificateRequest;
use vaultrs::pki::cert;


// Generate a certificate using the PKI backend
let cert = cert::generate(
    &client,
    "pki",
    "my_role",
    Some(GenerateCertificateRequest::builder().common_name("test.com")),
).await?;
println!("{}", cert.certificate); // "{PEM encoded certificate}"

§Transit

The library supports most operations for the Transit secrets engine, other than importing keys or batch_input parameters.

use vaultrs::api::transit::requests::CreateKeyRequest;
use vaultrs::api::transit::KeyType;
use vaultrs::transit::key;


// Create an encryption key using the /transit backend
key::create(
    &client,
    "transit",
    "my-transit-key",
    Some(CreateKeyRequest::builder()
       .derived(true)
       .key_type(KeyType::Aes256Gcm96)
       .auto_rotate_period("30d")),
).await.unwrap();

§Wrapping

All requests implement the ability to be wrapped. These can be passed in your application internally before being unwrapped.

use vaultrs::api::ResponseWrapper;
use vaultrs::api::sys::requests::ListMountsRequest;



let endpoint = ListMountsRequest::builder().build().unwrap();
let wrap_resp = endpoint.wrap(&client).await; // Wrapped response
assert!(wrap_resp.is_ok());

let wrap_resp = wrap_resp.unwrap(); // Unwrap Result<>
let info = wrap_resp.lookup(&client).await; // Check status of this wrapped response
assert!(info.is_ok());

let unwrap_resp = wrap_resp.unwrap(&client).await; // Unwrap the response
assert!(unwrap_resp.is_ok());

let info = wrap_resp.lookup(&client).await; // Error: response already unwrapped
assert!(info.is_err());

§Proxy

You can configure the client to use an HTTP or HTTPS proxy by setting the proxy option in VaultClientSettingsBuilder. This is useful for routing requests through a proxy server for logging, monitoring, or network policy reasons.

use vaultrs::client::{VaultClientSettingsBuilder, VaultClient};

let settings = VaultClientSettingsBuilder::default()
    .address("https://127.0.0.1:8200")
    .token("TOKEN")
    .proxy("http://127.0.0.1:8080")
    .build()
    .unwrap();

let client = VaultClient::new(settings).unwrap();
// All requests made by `client` will be routed through the proxy

//! [Hashicorp Vault]: https://developer.hashicorp.com/vault [aws tests]: https://github.com/jmgilman/vaultrs/blob/master/vaultrs-tests/tests/api_tests/aws.rs [OpenBao]: https://openbao.org/

Modules§

api
auth
aws
client
cubbyhole
database
error
identity
Identity secrets engine
kv1
kv2
pki
ssh
sys
token
transit