store

package
v3.1.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 10, 2024 License: MIT Imports: 25 Imported by: 0

Documentation

Overview

Secrets Manager Store is maintained by Dan MacTough https://github.com/danmactough. Thanks Dan!

Index

Constants

View Source
const (
	// CustomSSMEndpointEnvVar is the name of the environment variable specifying a custom base SSM
	// endpoint.
	CustomSSMEndpointEnvVar = "CHAMBER_AWS_SSM_ENDPOINT"

	// DefaultKeyID is the default alias for the KMS key used to encrypt/decrypt secrets
	DefaultKeyID = "alias/parameter_store_key"

	// DefaultRetryMode is the default retry mode for AWS SDK configurations.
	DefaultRetryMode = aws.RetryModeStandard
)
View Source
const (
	// ChamberService is the name of the service reserved for chamber's own use.
	ChamberService = "_chamber"
)
View Source
const (
	// CustomSecretsManagerEndpointEnvVar is the name of the environment variable specifying a custom
	// base Secrets Manager endpoint.
	CustomSecretsManagerEndpointEnvVar = "CHAMBER_AWS_SECRETS_MANAGER_ENDPOINT"
)
View Source
const (
	LatestStoreConfigVersion = "1"
)
View Source
const (
	MaximumVersions = 100
)
View Source
const (
	RegionEnvVar = "CHAMBER_AWS_REGION"
)

Variables

View Source
var (
	// ErrSecretNotFound is returned if the specified secret is not found in the
	// parameter store
	ErrSecretNotFound = errors.New("secret not found")
)

Functions

func ReservedService

func ReservedService(service string) bool

Types

type ChangeEvent

type ChangeEvent struct {
	Type    ChangeEventType
	Time    time.Time
	User    string
	Version int
}

type ChangeEventType

type ChangeEventType int
const (
	Created ChangeEventType = iota
	Updated
)

func (ChangeEventType) String

func (c ChangeEventType) String() string

type LatestIndexFile

type LatestIndexFile struct {
	Latest map[string]LatestValue `json:"latest"`
}

latest is used to keep a single object in s3 with all of the most recent values for the given service's secrets. Keeping this in a single s3 object allows us to use a single s3 GetObject for ListRaw (and thus chamber exec).

type LatestValue

type LatestValue struct {
	Version  int    `json:"version"`
	Value    string `json:"value"`
	KMSAlias string `json:"KMSAlias"`
}

type NullStore

type NullStore struct{}

func NewNullStore

func NewNullStore() *NullStore

func (*NullStore) Config

func (s *NullStore) Config(ctx context.Context) (StoreConfig, error)

func (*NullStore) Delete

func (s *NullStore) Delete(ctx context.Context, id SecretId) error

func (*NullStore) DeleteTags

func (s *NullStore) DeleteTags(ctx context.Context, id SecretId, tags []string) error

func (*NullStore) History

func (s *NullStore) History(ctx context.Context, id SecretId) ([]ChangeEvent, error)

func (*NullStore) List

func (s *NullStore) List(ctx context.Context, service string, includeValues bool) ([]Secret, error)

func (*NullStore) ListRaw

func (s *NullStore) ListRaw(ctx context.Context, service string) ([]RawSecret, error)

func (*NullStore) ListServices

func (s *NullStore) ListServices(ctx context.Context, service string, includeSecretNames bool) ([]string, error)

func (*NullStore) Read

func (s *NullStore) Read(ctx context.Context, id SecretId, version int) (Secret, error)

func (*NullStore) ReadTags

func (s *NullStore) ReadTags(ctx context.Context, id SecretId) (map[string]string, error)

func (*NullStore) SetConfig

func (s *NullStore) SetConfig(ctx context.Context, config StoreConfig) error

func (*NullStore) Write

func (s *NullStore) Write(ctx context.Context, id SecretId, value string) error

func (*NullStore) WriteTags

func (s *NullStore) WriteTags(ctx context.Context, id SecretId, tags map[string]string, deleteOtherTags bool) error

func (*NullStore) WriteWithTags

func (s *NullStore) WriteWithTags(ctx context.Context, id SecretId, value string, tags map[string]string) error

type RawSecret

type RawSecret struct {
	Value string
	Key   string
}

RawSecret is a secret without any metadata.

type S3KMSStore

type S3KMSStore struct {
	S3Store
	// contains filtered or unexported fields
}

func NewS3KMSStore

func NewS3KMSStore(ctx context.Context, numRetries int, bucket string, kmsKeyAlias string) (*S3KMSStore, error)

func (*S3KMSStore) Delete

func (s *S3KMSStore) Delete(ctx context.Context, id SecretId) error

func (*S3KMSStore) List

func (s *S3KMSStore) List(ctx context.Context, service string, includeValues bool) ([]Secret, error)

func (*S3KMSStore) ListRaw

func (s *S3KMSStore) ListRaw(ctx context.Context, service string) ([]RawSecret, error)

ListRaw returns RawSecrets by extracting them from the index file. It only ever uses the index file; it never consults the actual secrets, so if the index file is out of sync, these results will reflect that.

func (*S3KMSStore) ListServices

func (s *S3KMSStore) ListServices(ctx context.Context, service string, includeSecretName bool) ([]string, error)

func (*S3KMSStore) Write

func (s *S3KMSStore) Write(ctx context.Context, id SecretId, value string) error

func (*S3KMSStore) WriteWithTags

func (s *S3KMSStore) WriteWithTags(ctx context.Context, id SecretId, value string, tags map[string]string) error

type S3Store

type S3Store struct {
	// contains filtered or unexported fields
}

func NewS3StoreWithBucket

func NewS3StoreWithBucket(ctx context.Context, numRetries int, bucket string) (*S3Store, error)

func (*S3Store) Config

func (s *S3Store) Config(ctx context.Context) (StoreConfig, error)

func (*S3Store) Delete

func (s *S3Store) Delete(ctx context.Context, id SecretId) error

func (*S3Store) DeleteTags

func (s *S3Store) DeleteTags(ctx context.Context, id SecretId, tagKeys []string) error

func (*S3Store) History

func (s *S3Store) History(ctx context.Context, id SecretId) ([]ChangeEvent, error)

func (*S3Store) List

func (s *S3Store) List(ctx context.Context, service string, includeValues bool) ([]Secret, error)

func (*S3Store) ListRaw

func (s *S3Store) ListRaw(ctx context.Context, service string) ([]RawSecret, error)

func (*S3Store) ListServices

func (s *S3Store) ListServices(ctx context.Context, service string, includeSecretName bool) ([]string, error)

func (*S3Store) Read

func (s *S3Store) Read(ctx context.Context, id SecretId, version int) (Secret, error)

func (*S3Store) ReadTags

func (s *S3Store) ReadTags(ctx context.Context, id SecretId) (map[string]string, error)

func (*S3Store) SetConfig

func (s *S3Store) SetConfig(ctx context.Context, config StoreConfig) error

func (*S3Store) Write

func (s *S3Store) Write(ctx context.Context, id SecretId, value string) error

func (*S3Store) WriteTags

func (s *S3Store) WriteTags(ctx context.Context, id SecretId, tags map[string]string, deleteOtherTags bool) error

func (*S3Store) WriteWithTags

func (s *S3Store) WriteWithTags(ctx context.Context, id SecretId, value string, tags map[string]string) error

type SSMStore

type SSMStore struct {
	// contains filtered or unexported fields
}

SSMStore implements the Store interface for storing secrets in SSM Parameter Store

func NewSSMStore

func NewSSMStore(ctx context.Context, numRetries int) (*SSMStore, error)

NewSSMStore creates a new SSMStore

func NewSSMStoreWithMinThrottleDelay deprecated

func NewSSMStoreWithMinThrottleDelay(ctx context.Context, numRetries int, minThrottleDelay time.Duration) (*SSMStore, error)

NewSSMStoreWithMinThrottleDelay creates a new SSMStore with the aws sdk max retries and min throttle delay are configured.

Deprecated: The AWS SDK no longer supports specifying a minimum throttle delay. Instead, use NewSSMStoreWithRetryMode.

func NewSSMStoreWithRetryMode

func NewSSMStoreWithRetryMode(ctx context.Context, numRetries int, retryMode aws.RetryMode) (*SSMStore, error)

NewSSMStoreWithRetryMode creates a new SSMStore, configuring the underlying AWS SDK with the given maximum number of retries and retry mode.

func (*SSMStore) Config

func (s *SSMStore) Config(ctx context.Context) (StoreConfig, error)

func (*SSMStore) Delete

func (s *SSMStore) Delete(ctx context.Context, id SecretId) error

Delete removes a secret from the parameter store. Note this removes all versions of the secret.

func (*SSMStore) DeleteTags

func (s *SSMStore) DeleteTags(ctx context.Context, id SecretId, tagKeys []string) error

func (*SSMStore) History

func (s *SSMStore) History(ctx context.Context, id SecretId) ([]ChangeEvent, error)

History returns a list of events that have occurred regarding the given secret.

func (*SSMStore) KMSKey

func (s *SSMStore) KMSKey() string

func (*SSMStore) List

func (s *SSMStore) List(ctx context.Context, serviceName string, includeValues bool) ([]Secret, error)

List lists all secrets for a given service. If includeValues is true, then those secrets are decrypted and returned, otherwise only the metadata about a secret is returned.

func (*SSMStore) ListRaw

func (s *SSMStore) ListRaw(ctx context.Context, serviceName string) ([]RawSecret, error)

ListRaw lists all secrets keys and values for a given service. Does not include any other meta-data. Uses faster AWS APIs with much higher rate-limits. Suitable for use in production environments.

func (*SSMStore) ListServices

func (s *SSMStore) ListServices(ctx context.Context, service string, includeSecretName bool) ([]string, error)

func (*SSMStore) Read

func (s *SSMStore) Read(ctx context.Context, id SecretId, version int) (Secret, error)

Read reads a secret from the parameter store at a specific version. To grab the latest version, use -1 as the version number.

func (*SSMStore) ReadTags

func (s *SSMStore) ReadTags(ctx context.Context, id SecretId) (map[string]string, error)

func (*SSMStore) SetConfig

func (s *SSMStore) SetConfig(ctx context.Context, config StoreConfig) error

func (*SSMStore) Write

func (s *SSMStore) Write(ctx context.Context, id SecretId, value string) error

Write writes a given value to a secret identified by id. If the secret already exists, then write a new version.

func (*SSMStore) WriteTags

func (s *SSMStore) WriteTags(ctx context.Context, id SecretId, tags map[string]string, deleteOtherTags bool) error

func (*SSMStore) WriteWithTags

func (s *SSMStore) WriteWithTags(ctx context.Context, id SecretId, value string, tags map[string]string) error

type Secret

type Secret struct {
	Value *string
	Meta  SecretMetadata
}

Secret is a secret with metadata.

type SecretId

type SecretId struct {
	Service string
	Key     string
}

SecretId is the compound key for a secret.

type SecretMetadata

type SecretMetadata struct {
	Created   time.Time
	CreatedBy string
	Version   int
	Key       string
}

SecretMetadata is metadata about a secret.

type SecretsManagerStore

type SecretsManagerStore struct {
	// contains filtered or unexported fields
}

SecretsManagerStore implements the Store interface for storing secrets in SSM Parameter Store

func NewSecretsManagerStore

func NewSecretsManagerStore(ctx context.Context, numRetries int) (*SecretsManagerStore, error)

NewSecretsManagerStore creates a new SecretsManagerStore

func (*SecretsManagerStore) Config

func (*SecretsManagerStore) Delete

func (s *SecretsManagerStore) Delete(ctx context.Context, id SecretId) error

Delete removes a secret. Note this removes all versions of the secret. (True?)

func (*SecretsManagerStore) DeleteTags

func (s *SecretsManagerStore) DeleteTags(ctx context.Context, id SecretId, tagKeys []string) error

func (*SecretsManagerStore) History

func (s *SecretsManagerStore) History(ctx context.Context, id SecretId) ([]ChangeEvent, error)

History returns a list of events that have occurred regarding the given secret.

func (*SecretsManagerStore) List

func (s *SecretsManagerStore) List(ctx context.Context, serviceName string, includeValues bool) ([]Secret, error)

List lists all secrets for a given service. If includeValues is true, then those secrets are decrypted and returned, otherwise only the metadata about a secret is returned.

func (*SecretsManagerStore) ListRaw

func (s *SecretsManagerStore) ListRaw(ctx context.Context, serviceName string) ([]RawSecret, error)

ListRaw lists all secrets keys and values for a given service. Does not include any other metadata. Suitable for use in production environments.

func (*SecretsManagerStore) ListServices

func (s *SecretsManagerStore) ListServices(ctx context.Context, service string, includeSecretName bool) ([]string, error)

ListServices (not implemented)

func (*SecretsManagerStore) Read

func (s *SecretsManagerStore) Read(ctx context.Context, id SecretId, version int) (Secret, error)

Read reads a secret at a specific version. To grab the latest version, use -1 as the version number.

func (*SecretsManagerStore) ReadTags

func (s *SecretsManagerStore) ReadTags(ctx context.Context, id SecretId) (map[string]string, error)

func (*SecretsManagerStore) SetConfig

func (s *SecretsManagerStore) SetConfig(ctx context.Context, config StoreConfig) error

func (*SecretsManagerStore) Write

func (s *SecretsManagerStore) Write(ctx context.Context, id SecretId, value string) error

Write writes a given value to a secret identified by id. If the secret already exists, then write a new version.

func (*SecretsManagerStore) WriteTags

func (s *SecretsManagerStore) WriteTags(ctx context.Context, id SecretId, tags map[string]string, deleteOtherTags bool) error

func (*SecretsManagerStore) WriteWithTags

func (s *SecretsManagerStore) WriteWithTags(ctx context.Context, id SecretId, value string, tags map[string]string) error

type Store

type Store interface {
	Config(ctx context.Context) (StoreConfig, error)
	SetConfig(ctx context.Context, config StoreConfig) error
	Write(ctx context.Context, id SecretId, value string) error
	WriteWithTags(ctx context.Context, id SecretId, value string, tags map[string]string) error
	Read(ctx context.Context, id SecretId, version int) (Secret, error)
	WriteTags(ctx context.Context, id SecretId, tags map[string]string, deleteOtherTags bool) error
	ReadTags(ctx context.Context, id SecretId) (map[string]string, error)
	List(ctx context.Context, service string, includeValues bool) ([]Secret, error)
	ListRaw(ctx context.Context, service string) ([]RawSecret, error)
	ListServices(ctx context.Context, service string, includeSecretName bool) ([]string, error)
	History(ctx context.Context, id SecretId) ([]ChangeEvent, error)
	Delete(ctx context.Context, id SecretId) error
	DeleteTags(ctx context.Context, id SecretId, tagKeys []string) error
}

Store is an interface for a secret store.

type StoreConfig

type StoreConfig struct {
	Version      string   `json:"version"`
	RequiredTags []string `json:"requiredTags,omitempty"`
}

StoreConfig holds configuration information for a store. WARNING: Despite its public visibility, the contents of this struct are subject to change at any time, and are not part of the public interface for chamber.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL