Documentation ¶
Index ¶
- type Credentials
- type ManagedIdentity
- type Store
- func (s *Store) Close() error
- func (s *Store) Create(ctx context.Context, name string, value []byte) error
- func (s *Store) Delete(ctx context.Context, name string) error
- func (s *Store) Get(ctx context.Context, name string) ([]byte, error)
- func (s *Store) List(ctx context.Context, prefix string, n int) ([]string, string, error)
- func (s *Store) Set(ctx context.Context, name string, value []byte) error
- func (s *Store) Status(ctx context.Context) (kes.KeyStoreState, error)
- func (s *Store) String() string
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Credentials ¶
type Credentials struct { TenantID string // The ID of the Azure tenant ClientID string // The ID of the Azure client accessing KeyVault Secret string // The secret value of the Azure client }
Credentials are Azure client credentials to authenticate an application accessing Azure service.
type ManagedIdentity ¶
type ManagedIdentity struct {
ClientID string // The Azure managed identity client ID
}
ManagedIdentity is an Azure managed identity.
It allows applications running inside Azure to authenticate to Azure services via a managed identity object containing the access credentials.
type Store ¶ added in v0.23.0
type Store struct {
// contains filtered or unexported fields
}
Store is an Azure KeyVault secret store.
func ConnectWithCredentials ¶
ConnectWithCredentials tries to establish a connection to a Azure KeyVault instance using Azure client credentials.
func ConnectWithIdentity ¶
ConnectWithIdentity tries to establish a connection to a Azure KeyVault instance using an Azure managed identity.
func (*Store) Create ¶ added in v0.23.0
Create creates the given key-value pair as KeyVault secret.
Since KeyVault does not support an atomic create resp. create-only-if-not-exists, Create cannot exclude data race situations when multiple clients try to create the same secret at the same time.
However, Create checks whether a secret with the given name exists, and if it does, returns kes.ErrKeyExists.
Further, a secret may not exist but may be in a soft delete state. In this case, Create tries to purge the deleted secret and then tries to create it. However, KeyVault purges deleted secrets in the background such that an incoming create fails with HTTP 409 Conflict. Therefore, Create tries to create the secret multiple times after purging but will eventually give up and fail. However, a subsequent create may succeed once KeyVault has purged the secret completely.
func (*Store) Delete ¶ added in v0.23.0
Delete deletes and purges the secret from KeyVault.
A full delete is a two-step process. So, Delete first tries to delete and then purge the (soft) deleted secret. However, KeyVault may return success even though it hasn't completed the (soft) deletion process. A subsequent purge operation may tmp. fail with HTTP 409 conflict.
Therefore, Delete retries to purge a deleted secret multiple times. However, it will not return an error when all attempts fail with HTTP 409 since KeyVault will eventually catch up and purge the secret. Further, a subsequent Create operation will also try to purge the secret.
Since KeyVault only supports two-steps deletes, KES cannot guarantee that a Delete operation has atomic semantics.
func (*Store) Get ¶ added in v0.23.0
Get returns the first resp. oldest version of the secret. It returns kes.ErrKeyNotFound if no such secret exists.
Since Get has to fetch and filter the secrets versions first before actually accessing the secret, Get may return inconsistent responses when the secret is modified concurrently.
func (*Store) List ¶ added in v0.23.0
List returns a new Iterator over the names of all stored keys. List returns the first n key names, that start with the given prefix, and the next prefix from which the listing should continue.
It returns all keys with the prefix if n < 0 and less than n names if n is greater than the number of keys with the prefix.
An empty prefix matches any key name. At the end of the listing or when there are no (more) keys starting with the prefix, the returned prefix is empty
func (*Store) Set ¶ added in v0.23.0
Set creates the given key-value pair as KeyVault secret.
Since KeyVault does not support an atomic create resp. create-only-if-not-exists, Set cannot exclude data race situations when multiple clients try to create the same secret at the same time.
However, Set checks whether a secret with the given name exists, and if it does, returns kes.ErrKeyExists.
Further, a secret may not exist but may be in a soft delete state. In this case, Set tries to purge the deleted secret and then tries to create it. However, KeyVault purges deleted secrets in the background such that an incoming create fails with HTTP 409 Conflict. Therefore, Set tries to create the secret multiple times after purging but will eventually give up and fail. However, a subsequent create may succeed once KeyVault has purged the secret completely.