Documentation ¶
Index ¶
- type Credentials
- type SecretManager
- func (s *SecretManager) Authenticate(credentials Credentials) error
- func (s *SecretManager) Create(ctx context.Context, name string, key key.Key) error
- func (s *SecretManager) Delete(ctx context.Context, name string) error
- func (s *SecretManager) Get(ctx context.Context, name string) (key.Key, error)
- func (s *SecretManager) List(ctx context.Context) (key.Iterator, error)
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Credentials ¶
type Credentials struct { // ClientID is the client ID of the GCP service account. ClientID string // Client is the client email of the GCP service account. Client string // Key is the private key ID of the GCP service account. KeyID string // Key is the encoded private key of the GCP service account. Key string // contains filtered or unexported fields }
Credentials represent GCP service account credentials.
func (Credentials) MarshalJSON ¶
func (c Credentials) MarshalJSON() ([]byte, error)
MarshalJSON returns a JSON representation of the GCP credentials.
The returned JSON contains extra fields to match the JSON credentials returned by GCP. Those additional fields are set to default values.
type SecretManager ¶
type SecretManager struct { // Endpoint is the HTTP endpoint of the GCP SecretManager. // The endpoint for the GCP SecretManager is: // secretmanager.googleapis.com:443 Endpoint string // The project ID is a unique, user-assigned ID that can be used by Google APIs. // The project ID must be a unique string of 6 to 30 lowercase letters, digits, or hyphens. // It must start with a letter, and cannot have a trailing hyphen. ProjectID string // ErrorLog specifies an optional logger for errors // when files cannot be opened, deleted or contain // invalid content. // If nil, logging is done via the log package's // standard logger. ErrorLog *log.Logger // contains filtered or unexported fields }
SecretManager is a secret store that uses a GCP SecretManager for storing secrets.
func (*SecretManager) Authenticate ¶
func (s *SecretManager) Authenticate(credentials Credentials) error
Authenticate tries to auth and connect to GCP secret manager using the given credentials.
func (*SecretManager) Create ¶
Create stores the given key-value pair at GCP secret manager if and only if it doesn't exists. If such an entry already exists it returns kes.ErrKeyExists.
Creating a secret at the GCP SecretManager requires first creating secret itself and then adding a secret version with some payload data. The payload data contains the actual value.
func (*SecretManager) Delete ¶
func (s *SecretManager) Delete(ctx context.Context, name string) error
Delete remove the key-value pair from GCP SecretManager.
Delete will remove all versions of the GCP secret. Even though CreateKey will create only one version and fails if the secret already exists a user may create more secrets versions through e.g. the GCP CLI. However, KES does not support multiple secret versions and expects a different mechanism for "key-rotation".