store

package
v3.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 19, 2024 License: MIT Imports: 25 Imported by: 0

Documentation

Overview

Secrets Manager Store is maintained by Dan MacTough https://github.com/danmactough. Thanks Dan!

Index

Constants

View Source 
const (
	// CustomSSMEndpointEnvVar is the name of the environment variable specifying a custom base SSM
	// endpoint.
	CustomSSMEndpointEnvVar = "CHAMBER_AWS_SSM_ENDPOINT"

	// DefaultKeyID is the default alias for the KMS key used to encrypt/decrypt secrets
	DefaultKeyID = "alias/parameter_store_key"

	// DefaultRetryMode is the default retry mode for AWS SDK configurations.
	DefaultRetryMode = aws.RetryModeStandard
)
View Source 
const (
	// ChamberService is the name of the service reserved for chamber's own use.
	ChamberService = "_chamber"
)
View Source 
const (
	// CustomSecretsManagerEndpointEnvVar is the name of the environment variable specifying a custom
	// base Secrets Manager endpoint.
	CustomSecretsManagerEndpointEnvVar = "CHAMBER_AWS_SECRETS_MANAGER_ENDPOINT"
)
View Source 
const (
	LatestStoreConfigVersion = "1"
)
View Source 
const (
	MaximumVersions = 100
)
View Source 
const (
	RegionEnvVar = "CHAMBER_AWS_REGION"
)

Variables

View Source 
var (
	// ErrSecretNotFound is returned if the specified secret is not found in the
	// parameter store
	ErrSecretNotFound = errors.New("secret not found")
)

Functions

func ReservedService 

func ReservedService(service string) bool

Types

type ChangeEvent 

type ChangeEvent struct {
	Type    ChangeEventType
	Time    time.Time
	User    string
	Version int
}

type ChangeEventType 

type ChangeEventType int
const (
	Created ChangeEventType = iota
	Updated
)

func (ChangeEventType) String 

func (c ChangeEventType) String() string

type LatestIndexFile 

type LatestIndexFile struct {
	Latest map[string]LatestValue `json:"latest"`
}

latest is used to keep a single object in s3 with all of the most recent values for the given service's secrets. Keeping this in a single s3 object allows us to use a single s3 GetObject for ListRaw (and thus chamber exec).

type LatestValue 

type LatestValue struct {
	Version  int    `json:"version"`
	Value    string `json:"value"`
	KMSAlias string `json:"KMSAlias"`
}

type NullStore 

type NullStore struct{}

func NewNullStore 

func NewNullStore() *NullStore

func (*NullStore) Config 

func (s *NullStore) Config(ctx context.Context) (StoreConfig, error)

func (*NullStore) Delete 

func (s *NullStore) Delete(ctx context.Context, id SecretId) error

func (*NullStore) DeleteTags 

func (s *NullStore) DeleteTags(ctx context.Context, id SecretId, tags []string) error

func (*NullStore) History 

func (s *NullStore) History(ctx context.Context, id SecretId) ([]ChangeEvent, error)

func (*NullStore) List 

func (s *NullStore) List(ctx context.Context, service string, includeValues bool) ([]Secret, error)

func (*NullStore) ListRaw 

func (s *NullStore) ListRaw(ctx context.Context, service string) ([]RawSecret, error)

func (*NullStore) ListServices 

func (s *NullStore) ListServices(ctx context.Context, service string, includeSecretNames bool) ([]string, error)

func (*NullStore) Read 

func (s *NullStore) Read(ctx context.Context, id SecretId, version int) (Secret, error)

func (*NullStore) ReadTags 

func (s *NullStore) ReadTags(ctx context.Context, id SecretId) (map[string]string, error)

func (*NullStore) SetConfig 

func (s *NullStore) SetConfig(ctx context.Context, config StoreConfig) error

func (*NullStore) Write 

func (s *NullStore) Write(ctx context.Context, id SecretId, value string) error

func (*NullStore) WriteTags 

func (s *NullStore) WriteTags(ctx context.Context, id SecretId, tags map[string]string, deleteOtherTags bool) error

func (*NullStore) WriteWithTags 

func (s *NullStore) WriteWithTags(ctx context.Context, id SecretId, value string, tags map[string]string) error

type RawSecret 

type RawSecret struct {
	Value string
	Key   string
}

RawSecret is a secret without any metadata.

type S3KMSStore 

type S3KMSStore struct {
	S3Store
	// contains filtered or unexported fields
}

func NewS3KMSStore 

func NewS3KMSStore(ctx context.Context, numRetries int, bucket string, kmsKeyAlias string) (*S3KMSStore, error)

func (*S3KMSStore) Delete 

func (s *S3KMSStore) Delete(ctx context.Context, id SecretId) error

func (*S3KMSStore) List 

func (s *S3KMSStore) List(ctx context.Context, service string, includeValues bool) ([]Secret, error)

func (*S3KMSStore) ListRaw 

func (s *S3KMSStore) ListRaw(ctx context.Context, service string) ([]RawSecret, error)

ListRaw returns RawSecrets by extracting them from the index file. It only ever uses the index file; it never consults the actual secrets, so if the index file is out of sync, these results will reflect that.

func (*S3KMSStore) ListServices 

func (s *S3KMSStore) ListServices(ctx context.Context, service string, includeSecretName bool) ([]string, error)

func (*S3KMSStore) Write 

func (s *S3KMSStore) Write(ctx context.Context, id SecretId, value string) error

func (*S3KMSStore) WriteWithTags 

func (s *S3KMSStore) WriteWithTags(ctx context.Context, id SecretId, value string, tags map[string]string) error

type S3Store 

type S3Store struct {
	// contains filtered or unexported fields
}

func NewS3StoreWithBucket 

func NewS3StoreWithBucket(ctx context.Context, numRetries int, bucket string) (*S3Store, error)

func (*S3Store) Config 

func (s *S3Store) Config(ctx context.Context) (StoreConfig, error)

func (*S3Store) Delete 

func (s *S3Store) Delete(ctx context.Context, id SecretId) error

func (*S3Store) DeleteTags 

func (s *S3Store) DeleteTags(ctx context.Context, id SecretId, tagKeys []string) error

func (*S3Store) History 

func (s *S3Store) History(ctx context.Context, id SecretId) ([]ChangeEvent, error)

func (*S3Store) List 

func (s *S3Store) List(ctx context.Context, service string, includeValues bool) ([]Secret, error)

func (*S3Store) ListRaw 

func (s *S3Store) ListRaw(ctx context.Context, service string) ([]RawSecret, error)

func (*S3Store) ListServices 

func (s *S3Store) ListServices(ctx context.Context, service string, includeSecretName bool) ([]string, error)

func (*S3Store) Read 

func (s *S3Store) Read(ctx context.Context, id SecretId, version int) (Secret, error)

func (*S3Store) ReadTags 

func (s *S3Store) ReadTags(ctx context.Context, id SecretId) (map[string]string, error)

func (*S3Store) SetConfig 

func (s *S3Store) SetConfig(ctx context.Context, config StoreConfig) error

func (*S3Store) Write 

func (s *S3Store) Write(ctx context.Context, id SecretId, value string) error

func (*S3Store) WriteTags 

func (s *S3Store) WriteTags(ctx context.Context, id SecretId, tags map[string]string, deleteOtherTags bool) error

func (*S3Store) WriteWithTags 

func (s *S3Store) WriteWithTags(ctx context.Context, id SecretId, value string, tags map[string]string) error

type SSMStore 

type SSMStore struct {
	// contains filtered or unexported fields
}

SSMStore implements the Store interface for storing secrets in SSM Parameter Store

func NewSSMStore 

func NewSSMStore(ctx context.Context, numRetries int) (*SSMStore, error)

NewSSMStore creates a new SSMStore

func NewSSMStoreWithMinThrottleDelay deprecated 

func NewSSMStoreWithMinThrottleDelay(ctx context.Context, numRetries int, minThrottleDelay time.Duration) (*SSMStore, error)

NewSSMStoreWithMinThrottleDelay creates a new SSMStore with the aws sdk max retries and min throttle delay are configured.

Deprecated: The AWS SDK no longer supports specifying a minimum throttle delay. Instead, use NewSSMStoreWithRetryMode.

func NewSSMStoreWithRetryMode 

func NewSSMStoreWithRetryMode(ctx context.Context, numRetries int, retryMode aws.RetryMode) (*SSMStore, error)

NewSSMStoreWithRetryMode creates a new SSMStore, configuring the underlying AWS SDK with the given maximum number of retries and retry mode.

func (*SSMStore) Config 

func (s *SSMStore) Config(ctx context.Context) (StoreConfig, error)

func (*SSMStore) Delete 

func (s *SSMStore) Delete(ctx context.Context, id SecretId) error

Delete removes a secret from the parameter store. Note this removes all versions of the secret.

func (*SSMStore) DeleteTags 

func (s *SSMStore) DeleteTags(ctx context.Context, id SecretId, tagKeys []string) error

func (*SSMStore) History 

func (s *SSMStore) History(ctx context.Context, id SecretId) ([]ChangeEvent, error)

History returns a list of events that have occurred regarding the given secret.

func (*SSMStore) KMSKey 

func (s *SSMStore) KMSKey() string

func (*SSMStore) List 

func (s *SSMStore) List(ctx context.Context, serviceName string, includeValues bool) ([]Secret, error)

List lists all secrets for a given service. If includeValues is true, then those secrets are decrypted and returned, otherwise only the metadata about a secret is returned.

func (*SSMStore) ListRaw 

func (s *SSMStore) ListRaw(ctx context.Context, serviceName string) ([]RawSecret, error)

ListRaw lists all secrets keys and values for a given service. Does not include any other meta-data. Uses faster AWS APIs with much higher rate-limits. Suitable for use in production environments.

func (*SSMStore) ListServices 

func (s *SSMStore) ListServices(ctx context.Context, service string, includeSecretName bool) ([]string, error)

func (*SSMStore) Read 

func (s *SSMStore) Read(ctx context.Context, id SecretId, version int) (Secret, error)

Read reads a secret from the parameter store at a specific version. To grab the latest version, use -1 as the version number.

func (*SSMStore) ReadTags 

func (s *SSMStore) ReadTags(ctx context.Context, id SecretId) (map[string]string, error)

func (*SSMStore) SetConfig 

func (s *SSMStore) SetConfig(ctx context.Context, config StoreConfig) error

func (*SSMStore) Write 

func (s *SSMStore) Write(ctx context.Context, id SecretId, value string) error

Write writes a given value to a secret identified by id. If the secret already exists, then write a new version.

func (*SSMStore) WriteTags 

func (s *SSMStore) WriteTags(ctx context.Context, id SecretId, tags map[string]string, deleteOtherTags bool) error

func (*SSMStore) WriteWithTags 

func (s *SSMStore) WriteWithTags(ctx context.Context, id SecretId, value string, tags map[string]string) error

type Secret 

type Secret struct {
	Value *string
	Meta  SecretMetadata
}

Secret is a secret with metadata.

type SecretId 

type SecretId struct {
	Service string
	Key     string
}

SecretId is the compound key for a secret.

type SecretMetadata 

type SecretMetadata struct {
	Created   time.Time
	CreatedBy string
	Version   int
	Key       string
}

SecretMetadata is metadata about a secret.

type SecretsManagerStore 

type SecretsManagerStore struct {
	// contains filtered or unexported fields
}

SecretsManagerStore implements the Store interface for storing secrets in SSM Parameter Store

func NewSecretsManagerStore 

func NewSecretsManagerStore(ctx context.Context, numRetries int) (*SecretsManagerStore, error)

NewSecretsManagerStore creates a new SecretsManagerStore

func (*SecretsManagerStore) Config 

func (s *SecretsManagerStore) Config(ctx context.Context) (StoreConfig, error)

func (*SecretsManagerStore) Delete 

func (s *SecretsManagerStore) Delete(ctx context.Context, id SecretId) error

Delete removes a secret. Note this removes all versions of the secret. (True?)

func (*SecretsManagerStore) DeleteTags 

func (s *SecretsManagerStore) DeleteTags(ctx context.Context, id SecretId, tagKeys []string) error

func (*SecretsManagerStore) History 

func (s *SecretsManagerStore) History(ctx context.Context, id SecretId) ([]ChangeEvent, error)

History returns a list of events that have occurred regarding the given secret.

func (*SecretsManagerStore) List 

func (s *SecretsManagerStore) List(ctx context.Context, serviceName string, includeValues bool) ([]Secret, error)

List lists all secrets for a given service. If includeValues is true, then those secrets are decrypted and returned, otherwise only the metadata about a secret is returned.

func (*SecretsManagerStore) ListRaw 

func (s *SecretsManagerStore) ListRaw(ctx context.Context, serviceName string) ([]RawSecret, error)

ListRaw lists all secrets keys and values for a given service. Does not include any other metadata. Suitable for use in production environments.

func (*SecretsManagerStore) ListServices 

func (s *SecretsManagerStore) ListServices(ctx context.Context, service string, includeSecretName bool) ([]string, error)

ListServices (not implemented)

func (*SecretsManagerStore) Read 

func (s *SecretsManagerStore) Read(ctx context.Context, id SecretId, version int) (Secret, error)

Read reads a secret at a specific version. To grab the latest version, use -1 as the version number.

func (*SecretsManagerStore) ReadTags 

func (s *SecretsManagerStore) ReadTags(ctx context.Context, id SecretId) (map[string]string, error)

func (*SecretsManagerStore) SetConfig 

func (s *SecretsManagerStore) SetConfig(ctx context.Context, config StoreConfig) error

func (*SecretsManagerStore) Write 

func (s *SecretsManagerStore) Write(ctx context.Context, id SecretId, value string) error

Write writes a given value to a secret identified by id. If the secret already exists, then write a new version.

func (*SecretsManagerStore) WriteTags 

func (s *SecretsManagerStore) WriteTags(ctx context.Context, id SecretId, tags map[string]string, deleteOtherTags bool) error

func (*SecretsManagerStore) WriteWithTags 

func (s *SecretsManagerStore) WriteWithTags(ctx context.Context, id SecretId, value string, tags map[string]string) error

type Store 

type Store interface {
	Config(ctx context.Context) (StoreConfig, error)
	SetConfig(ctx context.Context, config StoreConfig) error
	Write(ctx context.Context, id SecretId, value string) error
	WriteWithTags(ctx context.Context, id SecretId, value string, tags map[string]string) error
	Read(ctx context.Context, id SecretId, version int) (Secret, error)
	WriteTags(ctx context.Context, id SecretId, tags map[string]string, deleteOtherTags bool) error
	ReadTags(ctx context.Context, id SecretId) (map[string]string, error)
	List(ctx context.Context, service string, includeValues bool) ([]Secret, error)
	ListRaw(ctx context.Context, service string) ([]RawSecret, error)
	ListServices(ctx context.Context, service string, includeSecretName bool) ([]string, error)
	History(ctx context.Context, id SecretId) ([]ChangeEvent, error)
	Delete(ctx context.Context, id SecretId) error
	DeleteTags(ctx context.Context, id SecretId, tagKeys []string) error
}

Store is an interface for a secret store.

type StoreConfig 

type StoreConfig struct {
	Version      string   `json:"version"`
	RequiredTags []string `json:"requiredTags,omitempty"`
}

StoreConfig holds configuration information for a store. WARNING: Despite its public visibility, the contents of this struct are subject to change at any time, and are not part of the public interface for chamber.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.