azurekeyvault

package
v0.35.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 8, 2023 License: Apache-2.0 Imports: 16 Imported by: 17

Documentation

Overview

Package azurekeyvault provides a secrets implementation backed by Azure KeyVault. See https://docs.microsoft.com/en-us/azure/key-vault/key-vault-whatis for more information. Use OpenKeeper to construct a *secrets.Keeper.

URLs

For secrets.OpenKeeper, azurekeyvault registers for the scheme "azurekeyvault". The default URL opener will use azidentity.DefaultAzureCredential to get credentials.

To customize the URL opener, or for more details on the URL format, see URLOpener. See https://gocloud.dev/concepts/urls/ for background information.

As

azurekeyvault exposes the following type for As: - Error: *azcore.ResponseError.

Example (OpenFromURL)
package main

import (
	"context"
	"log"

	"gocloud.dev/secrets"
)

func main() {
	// PRAGMA: This example is used on gocloud.dev; PRAGMA comments adjust how it is shown and can be ignored.
	// PRAGMA: On gocloud.dev, add a blank import: _ "gocloud.dev/secrets/azurekeyvault"
	// PRAGMA: On gocloud.dev, hide lines until the next blank line.
	ctx := context.Background()

	// The "azurekeyvault" URL scheme is replaced with "https" to construct an Azure
	// Key Vault keyID, as described in https://docs.microsoft.com/en-us/azure/key-vault/about-keys-secrets-and-certificates.
	// You can add an optional "/{key-version}" to the path to use a specific
	// version of the key; it defaults to the latest version.
	keeper, err := secrets.OpenKeeper(ctx, "azurekeyvault://mykeyvaultname.vault.azure.net/keys/mykeyname")
	if err != nil {
		log.Fatal(err)
	}
	defer keeper.Close()
}
Output:

Index

Examples

Constants

View Source
const Scheme = "azurekeyvault"

Scheme is the URL scheme azurekeyvault registers its URLOpener under on secrets.DefaultMux.

Variables

Set holds Wire providers for this package.

Functions

func DefaultClientMaker added in v0.28.0

func DefaultClientMaker(keyVaultURI string) (*azkeys.Client, error)

DefaultClientMaker returns a function that constructs a KeyVault Client. By default it uses credentials from the environment; See https://docs.microsoft.com/en-us/go/azure/azure-sdk-go-authorization#use-environment-based-authentication. If the environment variable AZURE_KEYVAULT_AUTH_VIA_CLI is set to a truthy value, it uses credentials from the Azure CLI instead.

func OpenKeeper added in v0.13.0

func OpenKeeper(clientMaker ClientMakerT, keyID string, opts *KeeperOptions) (*secrets.Keeper, error)

OpenKeeper returns a *secrets.Keeper that uses Azure keyVault.

clientMaker is used to construct an azkeys.Client.

keyID is a Azure Key Vault key identifier like "https://{keyvault-name}.vault.azure.net/keys/{key-name}/{key-version}". The "/{key-version}" suffix is optional; it defaults to the latest version. See https://docs.microsoft.com/en-us/azure/key-vault/about-keys-secrets-and-certificates for more details.

Example
package main

import (
	"log"

	"gocloud.dev/secrets/azurekeyvault"
)

func main() {
	// PRAGMA: This example is used on gocloud.dev; PRAGMA comments adjust how it is shown and can be ignored.

	// Makes a client to use with the Azure KeyVault API, using default
	// authorization from the environment.
	clientMaker := azurekeyvault.DefaultClientMaker

	// Construct a *secrets.Keeper.
	keeper, err := azurekeyvault.OpenKeeper(clientMaker, "https://mykeyvaultname.vault.azure.net/keys/mykeyname", nil)
	if err != nil {
		log.Fatal(err)
	}
	defer keeper.Close()
}
Output:

Types

type ClientMakerT added in v0.28.0

type ClientMakerT func(keyVaultURI string) (*azkeys.Client, error)

ClientMakerT is the type of a function used to generate a Client.

type KeeperOptions

type KeeperOptions struct {
	// Algorithm sets the encryption algorithm used.
	// Defaults to "RSA-OAEP-256".
	// See https://docs.microsoft.com/en-us/rest/api/keyvault/encrypt/encrypt#jsonwebkeyencryptionalgorithm
	// for more details.
	Algorithm azkeys.JSONWebKeyEncryptionAlgorithm

	// EncryptOptions are passed through to Encrypt.
	EncryptOptions *azkeys.EncryptOptions

	// DecryptOptions are passed through to Decrypt.
	DecryptOptions *azkeys.DecryptOptions
}

KeeperOptions provides configuration options for encryption/decryption operations.

type URLOpener

type URLOpener struct {
	// ClientMaker defaults to DefaultClientMaker.
	ClientMaker ClientMakerT

	// Options specifies the options to pass to OpenKeeper.
	Options KeeperOptions
}

URLOpener opens Azure KeyVault URLs like "azurekeyvault://{keyvault-name}.vault.azure.net/keys/{key-name}/{key-version}?algorithm=RSA-OAEP-256".

The "azurekeyvault" URL scheme is replaced with "https" to construct an Azure Key Vault keyID, as described in https://docs.microsoft.com/en-us/azure/key-vault/about-keys-secrets-and-certificates. The "/{key-version}"" suffix is optional; it defaults to the latest version.

The "algorithm" query parameter sets the algorithm to use; see https://docs.microsoft.com/en-us/rest/api/keyvault/encrypt/encrypt#jsonwebkeyencryptionalgorithm for supported algorithms. It defaults to "RSA-OAEP-256".

No other query parameters are supported.

func (*URLOpener) OpenKeeperURL

func (o *URLOpener) OpenKeeperURL(ctx context.Context, u *url.URL) (*secrets.Keeper, error)

OpenKeeperURL opens an Azure KeyVault Keeper based on u.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL