Documentation
¶
Index ¶
- type Credentials
- type KeyVault
- func (kv *KeyVault) AuthenticateWithCredentials(creds Credentials) error
- func (kv *KeyVault) AuthenticateWithIdentity(msi ManagedIdentity) error
- func (kv *KeyVault) Create(ctx context.Context, name string, key key.Key) error
- func (kv *KeyVault) Delete(ctx context.Context, name string) error
- func (kv *KeyVault) Get(ctx context.Context, name string) (key.Key, error)
- func (kv *KeyVault) List(ctx context.Context) (key.Iterator, error)
- func (kv *KeyVault) Status(ctx context.Context) (key.StoreState, error)
- type ManagedIdentity
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Credentials ¶
type Credentials struct {
TenantID string // The ID of the Azure tenant
ClientID string // The ID of the Azure client accessing KeyVault
Secret string // The secret value of the Azure client
}
Credentials are Azure client credentials to authenticate an application accessing Azure service.
type KeyVault ¶
type KeyVault struct {
Endpoint string // The Azure KeyVault Endpoint
// ErrorLog specifies an optional logger for errors
// when files cannot be opened, deleted or contain
// invalid content.
// If nil, logging is done via the log package's
// standard logger.
ErrorLog *log.Logger
// contains filtered or unexported fields
}
KeyVault is a secret store that uses Azure KeyVault for storing secrets.
func (*KeyVault) AuthenticateWithCredentials ¶ added in v0.17.3
func (kv *KeyVault) AuthenticateWithCredentials(creds Credentials) error
AuthenticateWithCredentials tries to establish a connection to a Azure KeyVault instance using Azure client credentials.
It retruns an error if no connection could be established - for instance because of invalid credentials.
func (*KeyVault) AuthenticateWithIdentity ¶ added in v0.17.3
func (kv *KeyVault) AuthenticateWithIdentity(msi ManagedIdentity) error
AuthenticateWithIdentity tries to establish a connection to a Azure KeyVault instance using an Azure managed identity.
It retruns an error if no connection could be established - for instance because of invalid credentials.
func (*KeyVault) Create ¶
Create creates the given key-value pair as KeyVault secret.
Since KeyVault does not support an atomic create resp. create-only-if-not-exists, Create cannot exclude data race situations when multiple clients try to create the same secret at the same time.
However, Create checks whether a secret with the given name exists, and if it does, returns kes.ErrKeyExists.
Further, a secret may not exist but may be in a soft delete state. In this case, Create tries to purge the deleted secret and then tries to create it. However, KeyVault purges deleted secrets in the background such that an incoming create fails with HTTP 409 Conflict. Therefore, Create tries to create the secret multiple times after purging but will eventually give up and fail. However, a subsequent create may succeed once KeyVault has purged the secret completely.
func (*KeyVault) Delete ¶
Delete deletes and purges the secret from KeyVault.
A full delete is a two-step process. So, Delete first tries to delete and then purge the (soft) deleted secret. However, KeyVault may return success even though it hasn't completed the (soft) deletion process. A subsequent purge operation may tmp. fail with HTTP 409 conflict.
Therefore, Delete retries to purge a deleted secret multiple times. However, it will not return an error when all attempts fail with HTTP 409 since KeyVault will eventually catch up and purge the secret. Further, a subsequent Create operation will also try to purge the secret.
Since KeyVault only supports two-steps deletes, KES cannot guarantee that a Delete operation has atomic semantics.
func (*KeyVault) Get ¶
Get returns the first resp. oldest version of the secret. It returns kes.ErrKeyNotFound if no such secret exists.
Since Get has to fetch and filter the secrets versions first before actually accessing the secret, Get may return inconsistent responses when the secret is modified concurrently.
type ManagedIdentity ¶ added in v0.17.3
type ManagedIdentity struct {
ClientID string // The Azure managed identity client ID
}
ManagedIdentity is an Azure managed identity.
It allows applications running inside Azure to authenticate to Azure services via a managed identity object containing the access credentials.
Source Files