secrets

package
v0.1.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 22, 2026 License: MIT Imports: 18 Imported by: 0

Documentation

Index

Constants

View Source 
const SecretPrefix = "secret://"

SecretPrefix is the URI scheme used in config values to reference secrets.

Variables

View Source 
var (
	ErrNotFound     = errors.New("secrets: secret not found")
	ErrUnsupported  = errors.New("secrets: operation not supported")
	ErrInvalidKey   = errors.New("secrets: invalid key")
	ErrProviderInit = errors.New("secrets: provider initialization failed")
)

Common errors.

Functions

This section is empty.

Types

type AWSConfig 

type AWSConfig struct {
	Region          string `json:"region" yaml:"region"`
	AccessKeyID     string `json:"accessKeyId,omitempty" yaml:"accessKeyId,omitempty"`
	SecretAccessKey string `json:"secretAccessKey,omitempty" yaml:"secretAccessKey,omitempty"`
}

AWSConfig holds configuration for AWS Secrets Manager.

type AWSSecretsManagerProvider 

type AWSSecretsManagerProvider struct {
	// contains filtered or unexported fields
}

AWSSecretsManagerProvider reads secrets from AWS Secrets Manager using the HTTP API with AWS Signature V4 signing. No external AWS SDK is required.

func NewAWSSecretsManagerProvider 

func NewAWSSecretsManagerProvider(cfg AWSConfig) (*AWSSecretsManagerProvider, error)

NewAWSSecretsManagerProvider creates a new AWS Secrets Manager provider. If AccessKeyID/SecretAccessKey are empty, it falls back to the environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.

func NewAWSSecretsManagerProviderWithClient 

func NewAWSSecretsManagerProviderWithClient(cfg AWSConfig, client HTTPClient) *AWSSecretsManagerProvider

NewAWSSecretsManagerProviderWithClient creates an AWS provider with a custom HTTP client (for testing).

func (*AWSSecretsManagerProvider) Config 

func (p *AWSSecretsManagerProvider) Config() AWSConfig

Config returns the provider's AWS configuration.

func (*AWSSecretsManagerProvider) Delete 

func (p *AWSSecretsManagerProvider) Delete(_ context.Context, _ string) error

func (*AWSSecretsManagerProvider) Get 

func (p *AWSSecretsManagerProvider) Get(ctx context.Context, key string) (string, error)

func (*AWSSecretsManagerProvider) List 

func (p *AWSSecretsManagerProvider) List(_ context.Context) ([]string, error)

func (*AWSSecretsManagerProvider) Name 

func (p *AWSSecretsManagerProvider) Name() string

func (*AWSSecretsManagerProvider) Set 

func (p *AWSSecretsManagerProvider) Set(_ context.Context, _ string, _ string) error

type DevVaultConfig 

type DevVaultConfig struct {
	// RootToken is the root token for the dev server. Default: "dev-root-token".
	RootToken string
	// ListenAddr is the address to listen on. Default: "127.0.0.1:0" (random port).
	ListenAddr string
	// MountPath is the KV v2 mount path. Default: "secret".
	MountPath string
}

DevVaultConfig holds configuration for a managed Vault dev server.

type DevVaultProvider 

type DevVaultProvider struct {
	*VaultProvider
	// contains filtered or unexported fields
}

DevVaultProvider manages a Vault dev server subprocess and provides a real VaultProvider connected to it. This is useful for local development and integration testing without requiring an external Vault server.

func NewDevVaultProvider 

func NewDevVaultProvider(cfg DevVaultConfig) (*DevVaultProvider, error)

NewDevVaultProvider starts a Vault dev server and returns a provider connected to it. It finds the vault binary on PATH, starts it with -dev mode, waits for readiness, and returns a fully functional VaultProvider.

The caller must call Close() to stop the subprocess.

Returns an error if the vault binary is not found or the server fails to start.

func (*DevVaultProvider) Addr 

func (p *DevVaultProvider) Addr() string

Addr returns the listen address of the dev server.

func (*DevVaultProvider) Close 

func (p *DevVaultProvider) Close() error

Close stops the Vault dev server subprocess and cleans up.

type EnvProvider 

type EnvProvider struct {
	// contains filtered or unexported fields
}

EnvProvider reads secrets from environment variables. Keys are converted to uppercase with dots replaced by underscores. For example, "database.password" becomes "DATABASE_PASSWORD".

func NewEnvProvider 

func NewEnvProvider(prefix string) *EnvProvider

NewEnvProvider creates a new environment variable secret provider. If prefix is non-empty, it is prepended to all key lookups (e.g., prefix "APP_" + key "db_pass" -> "APP_DB_PASS").

func (*EnvProvider) Delete 

func (p *EnvProvider) Delete(_ context.Context, key string) error

func (*EnvProvider) Get 

func (p *EnvProvider) Get(_ context.Context, key string) (string, error)

func (*EnvProvider) List 

func (p *EnvProvider) List(_ context.Context) ([]string, error)

func (*EnvProvider) Name 

func (p *EnvProvider) Name() string

func (*EnvProvider) Set 

func (p *EnvProvider) Set(_ context.Context, key, value string) error

type FileProvider 

type FileProvider struct {
	// contains filtered or unexported fields
}

FileProvider reads secrets from files in a directory. Each file name is the secret key, and the file content is the value. This is compatible with Kubernetes secret volume mounts.

func NewFileProvider 

func NewFileProvider(dir string) *FileProvider

NewFileProvider creates a file-based secret provider rooted at dir.

func (*FileProvider) Delete 

func (p *FileProvider) Delete(_ context.Context, key string) error

func (*FileProvider) Get 

func (p *FileProvider) Get(_ context.Context, key string) (string, error)

func (*FileProvider) List 

func (p *FileProvider) List(_ context.Context) ([]string, error)

func (*FileProvider) Name 

func (p *FileProvider) Name() string

func (*FileProvider) Set 

func (p *FileProvider) Set(_ context.Context, key, value string) error

type HTTPClient 

type HTTPClient interface {
	Do(req *http.Request) (*http.Response, error)
}

HTTPClient is an interface for HTTP requests (allows testing). Used by the AWS Secrets Manager provider.

type MultiResolver 

type MultiResolver struct {
	// contains filtered or unexported fields
}

MultiResolver resolves secret references in configuration values using multiple providers identified by URI scheme. It is backward-compatible: bare ${VAR_NAME} references (without a scheme) default to env resolution.

func NewMultiResolver 

func NewMultiResolver() *MultiResolver

NewMultiResolver creates a new MultiResolver. An EnvProvider is registered by default under the "env" scheme.

func (*MultiResolver) Expand 

func (m *MultiResolver) Expand(ctx context.Context, input string) (string, error)

Expand replaces all ${...} patterns in input with resolved values.

Supported formats:

  • ${vault:secret/path#field} — uses "vault" provider with key "secret/path#field"
  • ${aws-sm:secret-name} — uses "aws-sm" provider with key "secret-name"
  • ${env:VAR_NAME} — uses "env" provider with key "VAR_NAME"
  • ${VAR_NAME} — backward-compatible, uses "env" provider (os.LookupEnv via EnvProvider)

func (*MultiResolver) Provider 

func (m *MultiResolver) Provider(scheme string) Provider

Provider returns the provider for a given scheme, or nil if not found.

func (*MultiResolver) Register 

func (m *MultiResolver) Register(scheme string, provider Provider)

Register adds or replaces a provider for a given scheme.

func (*MultiResolver) Schemes 

func (m *MultiResolver) Schemes() []string

Schemes returns the list of registered provider schemes.

func (*MultiResolver) Unregister 

func (m *MultiResolver) Unregister(scheme string)

Unregister removes a provider for the given scheme.

type Provider 

type Provider interface {
	// Name returns the provider identifier.
	Name() string
	// Get retrieves a secret value by key.
	Get(ctx context.Context, key string) (string, error)
	// Set stores a secret. Returns ErrUnsupported if read-only.
	Set(ctx context.Context, key, value string) error
	// Delete removes a secret. Returns ErrUnsupported if read-only.
	Delete(ctx context.Context, key string) error
	// List returns all available secret keys. Returns ErrUnsupported if not supported.
	List(ctx context.Context) ([]string, error)
}

Provider defines the interface for secret storage backends.

type Resolver 

type Resolver struct {
	// contains filtered or unexported fields
}

Resolver resolves secret:// references in configuration values.

func NewResolver 

func NewResolver(provider Provider) *Resolver

NewResolver creates a resolver backed by the given provider.

func (*Resolver) Provider 

func (r *Resolver) Provider() Provider

Provider returns the underlying provider.

func (*Resolver) Resolve 

func (r *Resolver) Resolve(ctx context.Context, value string) (string, error)

Resolve replaces a value containing a secret:// reference with the actual secret. If the value does not start with SecretPrefix, it is returned as-is.

func (*Resolver) ResolveMap 

func (r *Resolver) ResolveMap(ctx context.Context, m map[string]any) (map[string]any, error)

ResolveMap resolves all secret:// references in a string map.

type VaultConfig 

type VaultConfig struct {
	Address   string `json:"address" yaml:"address"`
	Token     string `json:"token" yaml:"token"`
	MountPath string `json:"mount_path" yaml:"mount_path"`
	Namespace string `json:"namespace,omitempty" yaml:"namespace,omitempty"`
}

VaultConfig holds configuration for HashiCorp Vault.

type VaultProvider 

type VaultProvider struct {
	// contains filtered or unexported fields
}

VaultProvider implements a HashiCorp Vault secret provider using the official vault/api client library. It supports KV v2 operations: Get, Set, Delete, and List.

func NewVaultProvider 

func NewVaultProvider(cfg VaultConfig) (*VaultProvider, error)

NewVaultProvider creates a new Vault provider using the official vault/api client. It validates the config, creates an api.Client, sets the token and namespace.

func NewVaultProviderFromClient 

func NewVaultProviderFromClient(client *vault.Client, cfg VaultConfig) *VaultProvider

NewVaultProviderFromClient creates a VaultProvider from an existing vault/api client. This is useful for testing or when you need custom client configuration.

func NewVaultProviderHTTP deprecated 

func NewVaultProviderHTTP(cfg VaultConfig) (*VaultProvider, error)

NewVaultProviderHTTP is a deprecated alias for NewVaultProvider. It exists for backward compatibility.

Deprecated: Use NewVaultProvider instead.

func (*VaultProvider) Client 

func (p *VaultProvider) Client() *vault.Client

Client returns the underlying vault/api client for advanced use.

func (*VaultProvider) Config 

func (p *VaultProvider) Config() VaultConfig

Config returns the provider's Vault configuration.

func (*VaultProvider) Delete 

func (p *VaultProvider) Delete(ctx context.Context, key string) error

Delete removes a secret from Vault KV v2.

func (*VaultProvider) Get 

func (p *VaultProvider) Get(ctx context.Context, key string) (string, error)

Get retrieves a secret value from Vault KV v2. The key can be in the format "path" or "path#field". If #field is specified, returns that specific field from the secret data. Otherwise, returns the entire data as JSON.

func (*VaultProvider) List 

func (p *VaultProvider) List(ctx context.Context) ([]string, error)

List returns all secret keys under the mount path. It uses the Vault logical LIST operation on the metadata path.

func (*VaultProvider) Name 

func (p *VaultProvider) Name() string

func (*VaultProvider) Set 

func (p *VaultProvider) Set(ctx context.Context, key, value string) error

Set stores a secret value in Vault KV v2. The value is stored as {"value": val} in the secret data map.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.