Documentation ¶
Overview ¶
Package secrets provides the functionality to access secrets from Vault by reading them out of a JSON file with automatic refresh on change.
Store should be used to instantiate and configure the secret fetcher.
Index ¶
- Variables
- type CredentialSecret
- type Document
- type GenericSecret
- type Secret
- type SecretHandlerFunc
- type SecretMiddleware
- type SecretNotFoundError
- type Secrets
- type SimpleSecret
- type Store
- func (s *Store) AddMiddlewares(middlewares ...SecretMiddleware)
- func (s *Store) Close()
- func (s Store) GetCredentialSecret(path string) (CredentialSecret, error)
- func (s Store) GetSimpleSecret(path string) (SimpleSecret, error)
- func (s Store) GetVault() (Vault, error)
- func (s Store) GetVersionedSecret(path string) (VersionedSecret, error)
- type TooManyFieldsError
- type Vault
- type VersionedSecret
Constants ¶
This section is empty.
Variables ¶
var ErrInvalidEncoding = errors.New("secrets: invalid encoding, expected identity, base64 or empty")
ErrInvalidEncoding is the error returned by the parser when we got an invalid encoding in the secrets.json file.
Functions ¶
This section is empty.
Types ¶
type CredentialSecret ¶
CredentialSecret represent represent username/password pairs as a single secret in vault. Note that usernames are not generally considered secret, but they are tied to passwords.
type Document ¶
type Document struct { Secrets map[string]GenericSecret `json:"secrets"` Vault Vault `json:"vault"` }
Document represents the raw parsed entity of a Secrets JSON and is not meant to be used other than instantiating Secrets.
type GenericSecret ¶
type GenericSecret struct { Type string `json:"type"` Value string `json:"value"` Encoding encoding `json:"encoding"` Current string `json:"current"` Previous string `json:"previous"` Next string `json:"next"` Username string `json:"username"` Password string `json:"password"` }
GenericSecret is a placeholder to fit all types of secrets when parsing the Secret JSON before processing them into their more typed equivalents.
type SecretHandlerFunc ¶
type SecretHandlerFunc func(sec *Secrets)
SecretHandlerFunc is the actual function that works with the Secrets
type SecretMiddleware ¶
type SecretMiddleware func(next SecretHandlerFunc) SecretHandlerFunc
SecretMiddleware creates chain of SecretHandlerFunc calls
type SecretNotFoundError ¶
type SecretNotFoundError string
SecretNotFoundError is returned when the key for a secret is not present in the secret store.
func (SecretNotFoundError) Error ¶
func (path SecretNotFoundError) Error() string
type Secrets ¶
type Secrets struct {
// contains filtered or unexported fields
}
Secrets allows to access secrets based on their different type.
func NewSecrets ¶
NewSecrets parses and validates the secret JSON provided by the reader.
func (*Secrets) GetCredentialSecret ¶
func (s *Secrets) GetCredentialSecret(path string) (CredentialSecret, error)
GetCredentialSecret fetches a credential secret or error if the key is not present.
func (*Secrets) GetSimpleSecret ¶
func (s *Secrets) GetSimpleSecret(path string) (SimpleSecret, error)
GetSimpleSecret fetches a simple secret or error if the key is not present.
func (*Secrets) GetVersionedSecret ¶
func (s *Secrets) GetVersionedSecret(path string) (VersionedSecret, error)
GetVersionedSecret fetches a versioned secret or error if the key is not present.
type Store ¶
type Store struct {
// contains filtered or unexported fields
}
Store gives access to secret tokens with automatic refresh on change.
This local vault allows access to the secrets cached on disk by the fetcher daemon. It will automatically reload the cache when it is changed. Do not cache or store the values returned by this class's methods but rather get them from this class each time you need them. The secrets are served from memory so there's little performance impact to doing so and you will be sure to always have the current version in the face of key rotation etc.
func NewStore ¶
func NewStore(ctx context.Context, path string, logger log.Wrapper, middlewares ...SecretMiddleware) (*Store, error)
NewStore returns a new instance of Store by configuring it with a filewatcher to watch the file in path for changes ensuring secrets store will always return up to date secrets.
Context should come with a timeout otherwise this might block forever, i.e. if the path never becomes available.
func (*Store) AddMiddlewares ¶
func (s *Store) AddMiddlewares(middlewares ...SecretMiddleware)
AddMiddlewares registers new middlewares to the store.
Every AddMiddlewares call will cause all already registered middlewares to be called again with the latest data.
AddMiddlewares call is not thread-safe, it should not be called concurrently.
func (*Store) Close ¶
func (s *Store) Close()
Close closes the underlying filewatcher and release associated resources.
After Close is called, you won't get any updates to the secret file, but can still access the secrets as they were before Close is called.
It's OK to call Close multiple times. Calls after the first one are no-ops.
func (Store) GetCredentialSecret ¶
func (s Store) GetCredentialSecret(path string) (CredentialSecret, error)
GetCredentialSecret loads secrets from watcher, and fetches a credential secret from secrets
func (Store) GetSimpleSecret ¶
func (s Store) GetSimpleSecret(path string) (SimpleSecret, error)
GetSimpleSecret loads secrets from watcher, and fetches a simple secret from secrets
func (Store) GetVault ¶
GetVault returns a struct with a URL and token to access Vault directly. The token will have policies attached based on the current EC2 server's Vault role. This is only necessary if talking directly to Vault.
This function always returns nil error.
func (Store) GetVersionedSecret ¶
func (s Store) GetVersionedSecret(path string) (VersionedSecret, error)
GetVersionedSecret loads secrets from watcher, and fetches a versioned secret from secrets
type TooManyFieldsError ¶
TooManyFieldsError is a type of errors could be returned by Document.Validate.
Note that Document.Validate could also return a BatchError containing multiple TooManyFieldsError.
func (TooManyFieldsError) Error ¶
func (e TooManyFieldsError) Error() string
type Vault ¶
Vault provides authentication credentials so that applications can directly connect to Vault for more complicated use cases.
type VersionedSecret ¶
VersionedSecret represent secrets like signing keys that can be rotated gracefully.
The current property contains the active version of a secret. This should be used for any actions that generate new cryptographic data (e.g. signing a token).
The previous and next fields contain old and not-yet-active versions of the secret respectively. These MAY be used by applications to give a grace period for cryptographic tokens generated during a rotation, but SHOULD NOT be used to generate new cryptographic tokens.
func (*VersionedSecret) GetAll ¶
func (v *VersionedSecret) GetAll() []Secret
GetAll returns all versions that are not empty in the following order: current, previous, next.