Documentation ¶
Overview ¶
Package azurekeyvault provides a secrets implementation backed by Azure KeyVault. See https://docs.microsoft.com/en-us/azure/key-vault/key-vault-whatis for more information. Use OpenKeeper to construct a *secrets.Keeper.
URLs ¶
For secrets.OpenKeeper, azurekeyvault registers for the scheme "azurekeyvault". The default URL opener will use Dial, which gets default credentials from the environment, unless the AZURE_KEYVAULT_AUTH_VIA_CLI environment variable is set to true, in which case it uses DialUsingCLIAuth to get credentials from the "az" command line.
To customize the URL opener, or for more details on the URL format, see URLOpener. See https://gocloud.dev/concepts/urls/ for background information.
As ¶
azurekeyvault exposes the following type for As: - Error: autorest.DetailedError, see https://godoc.org/github.com/Azure/go-autorest/autorest#DetailedError
Example (OpenFromURL) ¶
package main import ( "context" "log" "gocloud.dev/secrets" ) func main() { // PRAGMA: This example is used on gocloud.dev; PRAGMA comments adjust how it is shown and can be ignored. // PRAGMA: On gocloud.dev, add a blank import: _ "gocloud.dev/secrets/azurekeyvault" // PRAGMA: On gocloud.dev, hide lines until the next blank line. ctx := context.Background() // The "azurekeyvault" URL scheme is replaced with "https" to construct an Azure // Key Vault keyID, as described in https://docs.microsoft.com/en-us/azure/key-vault/about-keys-secrets-and-certificates. // You can add an optional "/{key-version}" to the path to use a specific // version of the key; it defaults to the latest version. keeper, err := secrets.OpenKeeper(ctx, "azurekeyvault://mykeyvaultname.vault.azure.net/keys/mykeyname") if err != nil { log.Fatal(err) } defer keeper.Close() }
Output:
Index ¶
Examples ¶
Constants ¶
const Scheme = "azurekeyvault"
Scheme is the URL scheme azurekeyvault registers its URLOpener under on secrets.DefaultMux.
Variables ¶
Set holds Wire providers for this package.
Functions ¶
func Dial ¶
func Dial() (*keyvault.BaseClient, error)
Dial gets a new *keyvault.BaseClient using authorization from the environment. See https://docs.microsoft.com/en-us/go/azure/azure-sdk-go-authorization#use-environment-based-authentication.
func DialUsingCLIAuth ¶
func DialUsingCLIAuth() (*keyvault.BaseClient, error)
DialUsingCLIAuth gets a new *keyvault.BaseClient using authorization from the "az" CLI.
func OpenKeeper ¶
func OpenKeeper(client *keyvault.BaseClient, keyID string, opts *KeeperOptions) (*secrets.Keeper, error)
OpenKeeper returns a *secrets.Keeper that uses Azure keyVault.
client is a *keyvault.BaseClient instance, see https://godoc.org/github.com/Azure/azure-sdk-for-go/services/keyvault/v7.0/keyvault#BaseClient.
keyID is a Azure Key Vault key identifier like "https://{keyvault-name}.vault.azure.net/keys/{key-name}/{key-version}". The "/{key-version}" suffix is optional; it defaults to the latest version. See https://docs.microsoft.com/en-us/azure/key-vault/about-keys-secrets-and-certificates for more details.
Example ¶
package main import ( "log" "gocloud.dev/secrets/azurekeyvault" ) func main() { // PRAGMA: This example is used on gocloud.dev; PRAGMA comments adjust how it is shown and can be ignored. // Get a client to use with the Azure KeyVault API, using default // authorization from the environment. // // You can alternatively use DialUsingCLIAuth to use auth from the // "az" CLI. client, err := azurekeyvault.Dial() if err != nil { log.Fatal(err) } // Construct a *secrets.Keeper. keeper, err := azurekeyvault.OpenKeeper(client, "https://mykeyvaultname.vault.azure.net/keys/mykeyname", nil) if err != nil { log.Fatal(err) } defer keeper.Close() }
Output:
Types ¶
type KeeperOptions ¶
type KeeperOptions struct { // Algorithm sets the encryption algorithm used. // Defaults to "RSA-OAEP-256". // See https://docs.microsoft.com/en-us/rest/api/keyvault/encrypt/encrypt#jsonwebkeyencryptionalgorithm // for more details. Algorithm keyvault.JSONWebKeyEncryptionAlgorithm }
KeeperOptions provides configuration options for encryption/decryption operations.
type URLOpener ¶
type URLOpener struct { // Client must be set to a non-nil value. Client *keyvault.BaseClient // Options specifies the options to pass to OpenKeeper. Options KeeperOptions }
URLOpener opens Azure KeyVault URLs like "azurekeyvault://{keyvault-name}.vault.azure.net/keys/{key-name}/{key-version}?algorithm=RSA-OAEP-256".
The "azurekeyvault" URL scheme is replaced with "https" to construct an Azure Key Vault keyID, as described in https://docs.microsoft.com/en-us/azure/key-vault/about-keys-secrets-and-certificates. The "/{key-version}"" suffix is optional; it defaults to the latest version.
The "algorithm" query parameter sets the algorithm to use; see https://docs.microsoft.com/en-us/rest/api/keyvault/encrypt/encrypt#jsonwebkeyencryptionalgorithm for supported algorithms. It defaults to "RSA-OAEP-256".
No other query parameters are supported.