azure

package
v0.23.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 10, 2023 License: AGPL-3.0 Imports: 19 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Credentials

type Credentials struct {
	TenantID string // The ID of the Azure tenant
	ClientID string // The ID of the Azure client accessing KeyVault
	Secret   string // The secret value of the Azure client
}

Credentials are Azure client credentials to authenticate an application accessing Azure service.

type ManagedIdentity

type ManagedIdentity struct {
	ClientID string // The Azure managed identity client ID
}

ManagedIdentity is an Azure managed identity.

It allows applications running inside Azure to authenticate to Azure services via a managed identity object containing the access credentials.

type Store added in v0.23.0

type Store struct {
	// contains filtered or unexported fields
}

Store is an Azure KeyVault secret store.

func ConnectWithCredentials

func ConnectWithCredentials(_ context.Context, endpoint string, creds Credentials) (*Store, error)

ConnectWithCredentials tries to establish a connection to a Azure KeyVault instance using Azure client credentials.

func ConnectWithIdentity

func ConnectWithIdentity(_ context.Context, endpoint string, msi ManagedIdentity) (*Store, error)

ConnectWithIdentity tries to establish a connection to a Azure KeyVault instance using an Azure managed identity.

func (*Store) Close added in v0.23.0

func (s *Store) Close() error

Close closes the Store.

func (*Store) Create added in v0.23.0

func (s *Store) Create(ctx context.Context, name string, value []byte) error

Create creates the given key-value pair as KeyVault secret.

Since KeyVault does not support an atomic create resp. create-only-if-not-exists, Create cannot exclude data race situations when multiple clients try to create the same secret at the same time.

However, Create checks whether a secret with the given name exists, and if it does, returns kes.ErrKeyExists.

Further, a secret may not exist but may be in a soft delete state. In this case, Create tries to purge the deleted secret and then tries to create it. However, KeyVault purges deleted secrets in the background such that an incoming create fails with HTTP 409 Conflict. Therefore, Create tries to create the secret multiple times after purging but will eventually give up and fail. However, a subsequent create may succeed once KeyVault has purged the secret completely.

func (*Store) Delete added in v0.23.0

func (s *Store) Delete(ctx context.Context, name string) error

Delete deletes and purges the secret from KeyVault.

A full delete is a two-step process. So, Delete first tries to delete and then purge the (soft) deleted secret. However, KeyVault may return success even though it hasn't completed the (soft) deletion process. A subsequent purge operation may tmp. fail with HTTP 409 conflict.

Therefore, Delete retries to purge a deleted secret multiple times. However, it will not return an error when all attempts fail with HTTP 409 since KeyVault will eventually catch up and purge the secret. Further, a subsequent Create operation will also try to purge the secret.

Since KeyVault only supports two-steps deletes, KES cannot guarantee that a Delete operation has atomic semantics.

func (*Store) Get added in v0.23.0

func (s *Store) Get(ctx context.Context, name string) ([]byte, error)

Get returns the first resp. oldest version of the secret. It returns kes.ErrKeyNotFound if no such secret exists.

Since Get has to fetch and filter the secrets versions first before actually accessing the secret, Get may return inconsistent responses when the secret is modified concurrently.

func (*Store) List added in v0.23.0

func (s *Store) List(ctx context.Context, prefix string, n int) ([]string, string, error)

List returns a new Iterator over the names of all stored keys. List returns the first n key names, that start with the given prefix, and the next prefix from which the listing should continue.

It returns all keys with the prefix if n < 0 and less than n names if n is greater than the number of keys with the prefix.

An empty prefix matches any key name. At the end of the listing or when there are no (more) keys starting with the prefix, the returned prefix is empty

func (*Store) Set added in v0.23.0

func (s *Store) Set(ctx context.Context, name string, value []byte) error

Set creates the given key-value pair as KeyVault secret.

Since KeyVault does not support an atomic create resp. create-only-if-not-exists, Set cannot exclude data race situations when multiple clients try to create the same secret at the same time.

However, Set checks whether a secret with the given name exists, and if it does, returns kes.ErrKeyExists.

Further, a secret may not exist but may be in a soft delete state. In this case, Set tries to purge the deleted secret and then tries to create it. However, KeyVault purges deleted secrets in the background such that an incoming create fails with HTTP 409 Conflict. Therefore, Set tries to create the secret multiple times after purging but will eventually give up and fail. However, a subsequent create may succeed once KeyVault has purged the secret completely.

func (*Store) Status added in v0.23.0

func (s *Store) Status(ctx context.Context) (kes.KeyStoreState, error)

Status returns the current state of the Azure KeyVault instance. In particular, whether it is reachable and the network latency.

func (*Store) String added in v0.23.0

func (s *Store) String() string

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL