Documentation
¶
Overview ¶
Package vault provides a secrets implementation using the Transit Secrets Engine of Vault by Hashicorp. Use OpenKeeper to construct a *secrets.Keeper.
URLs ¶
For secrets.OpenKeeper, vault registers for the scheme "vault". The default URL opener will dial a Vault server using the environment variables "VAULT_SERVER_URL" and "VAULT_SERVER_TOKEN". To customize the URL opener, or for more details on the URL format, see URLOpener. See https://gocloud.dev/concepts/urls/ for background information.
As ¶
vault does not support any types for As.
Example (OpenFromURL) ¶
package main
import (
"context"
"log"
"gocloud.dev/secrets"
)
func main() {
ctx := context.Background()
// secrets.OpenKeeper creates a *secrets.Keeper from a URL.
// The default opener dials a default Vault server based on the environment
// variables VAULT_SERVER_URL and VAULT_SERVER_TOKEN.
keeper, err := secrets.OpenKeeper(ctx, "vault://mykey")
if err != nil {
log.Fatal(err)
}
defer keeper.Close()
}
Output:
Index ¶
Examples ¶
Constants ¶
const Scheme = "vault"
Scheme is the URL scheme vault registers its URLOpener under on secrets.DefaultMux.
Variables ¶
This section is empty.
Functions ¶
func OpenKeeper ¶
OpenKeeper returns a *secrets.Keeper that uses the Transit Secrets Engine of Vault by Hashicorp. See the package documentation for an example.
Example ¶
package main
import (
"context"
"log"
"github.com/hashicorp/vault/api"
"gocloud.dev/secrets/vault"
)
func main() {
// Get a client to use with the Vault API.
ctx := context.Background()
client, err := vault.Dial(ctx, &vault.Config{
Token: "<Client (Root) Token>",
APIConfig: api.Config{
Address: "http://127.0.0.1:8200",
},
})
if err != nil {
log.Fatal(err)
}
// Construct a *secrets.Keeper.
keeper := vault.OpenKeeper(client, "my-key", nil)
defer keeper.Close()
// Now we can use keeper to encrypt or decrypt.
plaintext := []byte("Hello, Secrets!")
ciphertext, err := keeper.Encrypt(ctx, plaintext)
if err != nil {
log.Fatal(err)
}
decrypted, err := keeper.Decrypt(ctx, ciphertext)
if err != nil {
log.Fatal(err)
}
_ = decrypted
}
Output:
Types ¶
type Config ¶
type Config struct {
// Token is the access token the Vault client uses to talk to the server.
// See https://www.vaultproject.io/docs/concepts/tokens.html for more
// information.
Token string
// APIConfig is used to configure the creation of the client.
APIConfig api.Config
}
Config is the authentication configurations of the Vault server.
type KeeperOptions ¶
type KeeperOptions struct{}
KeeperOptions controls Keeper behaviors. It is provided for future extensibility.
type URLOpener ¶
type URLOpener struct {
// Client must be non-nil.
Client *api.Client
// Options specifies the options to pass to OpenKeeper.
Options KeeperOptions
}
URLOpener opens Vault URLs like "vault://mykey".
The URL Host + Path are used as the keyID.
No query parameters are supported.
Source Files