Documentation
¶
Overview ¶
Package credentials manages provider API-key storage for eyrie, combining an OS keychain and an env-file store (CombinedStore) and providing migration of legacy env-file and keychain credentials into the current scheme.
Index ¶
- Constants
- Variables
- func APIKeysMap(ctx context.Context, store Store) map[string]string
- func AccountForEnv(envKey string) string
- func CachedKeychainWriteAvailable(ctx context.Context) (ok bool, detail string)
- func DeleteSecret(ctx context.Context, envKey string) error
- func DetectGitHubActions() bool
- func EnvForAccount(account string) string
- func ExchangeForAWS(ctx context.Context, roleARN, region, oidcToken string) (accessKeyID, secretKey, sessionToken string, err error)
- func ExchangeForAWSWith(ctx context.Context, roleARN, region, oidcToken string, ep AWSEndpoints) (accessKeyID, secretKey, sessionToken string, err error)
- func ExchangeForGCP(ctx context.Context, audience, serviceAccountEmail, oidcToken string) (accessToken string, err error)
- func ExchangeForGCPWith(ctx context.Context, audience, serviceAccountEmail, oidcToken string, ...) (accessToken string, err error)
- func FetchGitHubOIDCToken(ctx context.Context, audience string) (string, error)
- func FormatStorageReport(r StorageReport) string
- func HasSecret(ctx context.Context, envKey string) bool
- func KeychainUnavailableDetail() error
- func KeychainWriteAvailable(ctx context.Context) (ok bool, detail string)
- func KeyringUnavailableHelp() string
- func LookupSecret(ctx context.Context, envKey string) string
- func MigrateLegacyEnvFile(ctx context.Context) (int, error)
- func MigrateLegacyKeychainAccounts(ctx context.Context) (int, error)
- func PlatformSecretStoreName() string
- func ResetKeychainWriteCache()
- func ScrubProcessEnv(envKeys []string)
- func SetDefaultStore(s Store)
- func StorageStatus(ctx context.Context) (ok bool, detail string)
- func StoredEnvKeys(ctx context.Context) []string
- func VertexTokenFromOIDC(ctx context.Context, audience, serviceAccountEmail string) (string, error)
- type AWSCredentials
- type AWSEndpoints
- type CombinedStore
- type GCPEndpoints
- type MapStore
- type StorageReport
- type Store
Constants ¶
const (
// AWSAudience is the OIDC audience AWS STS expects for web-identity federation.
AWSAudience = "sts.amazonaws.com"
)
audience constants for the OIDC token request.
const (
ServiceName = "hawk"
)
Variables ¶
ErrKeychainUnavailable is returned when credentials cannot be stored in the OS secret store.
var ErrNoOIDC = errors.New("credentials: not running in GitHub Actions (no OIDC)")
ErrNoOIDC is returned by the OIDC convenience helpers when the process is not running inside a GitHub Actions runner, so callers can fall back to other credential sources.
var ErrNotFound = errors.New("credentials: not found")
Functions ¶
func APIKeysMap ¶
APIKeysMap returns env-keyed secrets for catalog discovery.
func AccountForEnv ¶
AccountForEnv maps a standard env var to a stable keychain account name.
func CachedKeychainWriteAvailable ¶
CachedKeychainWriteAvailable probes keychain write once per process (refreshed periodically).
func DeleteSecret ¶
DeleteSecret removes a stored secret for an env key name.
func DetectGitHubActions ¶
func DetectGitHubActions() bool
DetectGitHubActions reports whether the process is running inside a GitHub Actions runner.
func EnvForAccount ¶
EnvForAccount is a best-effort reverse map for loading into process env.
func ExchangeForAWS ¶
func ExchangeForAWS(ctx context.Context, roleARN, region, oidcToken string) (accessKeyID, secretKey, sessionToken string, err error)
ExchangeForAWS exchanges a GitHub OIDC token for temporary AWS credentials via STS AssumeRoleWithWebIdentity. The returned credentials are short-lived and suitable for NewBedrockClient.
func ExchangeForAWSWith ¶
func ExchangeForAWSWith(ctx context.Context, roleARN, region, oidcToken string, ep AWSEndpoints) (accessKeyID, secretKey, sessionToken string, err error)
ExchangeForAWSWith is ExchangeForAWS with injectable endpoints for testing.
func ExchangeForGCP ¶
func ExchangeForGCP(ctx context.Context, audience, serviceAccountEmail, oidcToken string) (accessToken string, err error)
ExchangeForGCP exchanges a GitHub OIDC token for a Google access token via Workload Identity Federation. It first exchanges the OIDC token for a federated access token at the STS endpoint, then impersonates the named service account through iamcredentials generateAccessToken. The returned token is suitable for NewVertexClient.
audience is the full WIF audience, e.g. "//iam.googleapis.com/projects/123/locations/global/workloadIdentityPools/POOL/providers/PROVIDER".
func ExchangeForGCPWith ¶
func ExchangeForGCPWith(ctx context.Context, audience, serviceAccountEmail, oidcToken string, ep GCPEndpoints) (accessToken string, err error)
ExchangeForGCPWith is ExchangeForGCP with injectable endpoints for testing.
func FetchGitHubOIDCToken ¶
FetchGitHubOIDCToken requests an OIDC ID token from the GitHub Actions token service for the given audience. It reads ACTIONS_ID_TOKEN_REQUEST_URL and ACTIONS_ID_TOKEN_REQUEST_TOKEN from the environment (set by the runner when the workflow has `id-token: write` permission).
func FormatStorageReport ¶
func FormatStorageReport(r StorageReport) string
FormatStorageReport returns human-readable credential storage status.
func HasSecret ¶
HasSecret reports whether the store has a non-empty secret for an env key name. It is intentionally silent — it is a boolean predicate used in capability checks that iterate the full provider catalog at startup, and any logging here produced dozens of WARN lines on first run with no credentials stored.
func KeychainUnavailableDetail ¶
func KeychainUnavailableDetail() error
KeychainUnavailableDetail returns a detailed error explaining why the keychain is unavailable.
func KeychainWriteAvailable ¶
KeychainWriteAvailable reports whether secrets can be persisted to the OS keychain.
func KeyringUnavailableHelp ¶
func KeyringUnavailableHelp() string
KeyringUnavailableHelp explains how to enable secret storage on this OS.
func LookupSecret ¶
LookupSecret returns an API key from the OS secret store. It does not read the process environment — use for strict isolation from agents and shell dumps.
On "not found" the function returns ("", nil) and logs at debug level — callers commonly probe for keys that may legitimately be absent. Real backend errors (keychain locked, permission denied, transport failure) are logged at warn.
func MigrateLegacyKeychainAccounts ¶
MigrateLegacyKeychainAccounts copies secrets from deprecated keychain accounts when the new account is empty.
func PlatformSecretStoreName ¶
func PlatformSecretStoreName() string
PlatformSecretStoreName is the user-facing label for the OS credential backend.
func ResetKeychainWriteCache ¶
func ResetKeychainWriteCache()
ResetKeychainWriteCache clears the write-probe cache (tests).
func ScrubProcessEnv ¶
func ScrubProcessEnv(envKeys []string)
ScrubProcessEnv removes API key env vars from the process (shell inheritance / legacy Setenv).
func SetDefaultStore ¶
func SetDefaultStore(s Store)
SetDefaultStore replaces the process-wide store (tests).
func StorageStatus ¶
StorageStatus reports whether the credential store can be read (and optionally written).
func StoredEnvKeys ¶
StoredEnvKeys returns env var names that have non-empty secrets in the store.
func VertexTokenFromOIDC ¶
VertexTokenFromOIDC is a convenience helper for setup/deployment.go: it detects GitHub Actions, fetches an OIDC token for the given WIF audience, and exchanges it for a Google access token usable by NewVertexClient. It returns ErrNoOIDC when not running inside GitHub Actions.
Types ¶
type AWSCredentials ¶
type AWSCredentials struct {
AccessKeyID string
SecretAccessKey string
SessionToken string
Region string
}
AWSCredentials holds temporary AWS credentials from an OIDC exchange.
func BedrockCredentialsFromOIDC ¶
func BedrockCredentialsFromOIDC(ctx context.Context, roleARN, region string) (AWSCredentials, error)
BedrockCredentialsFromOIDC is a convenience helper for setup/deployment.go: it detects GitHub Actions, fetches an OIDC token for the AWS audience, and exchanges it for temporary Bedrock credentials. It returns ErrNoOIDC when not running inside GitHub Actions so callers can fall back to their happy path.
type AWSEndpoints ¶
type AWSEndpoints struct {
// STSURL overrides the STS endpoint (default https://sts.amazonaws.com/).
STSURL string
// HTTPClient overrides the HTTP client used for the request.
HTTPClient *http.Client
}
AWSEndpoints holds the network configuration for AWS STS exchange. The zero value uses production AWS STS.
type CombinedStore ¶
type CombinedStore struct {
Keychain Store
// contains filtered or unexported fields
}
CombinedStore persists secrets in the OS secret store (macOS Keychain / Linux Secret Service).
func NewCombinedStore ¶
func NewCombinedStore() *CombinedStore
func (*CombinedStore) Delete ¶
func (c *CombinedStore) Delete(ctx context.Context, account string) error
type GCPEndpoints ¶
type GCPEndpoints struct {
// STSURL overrides the STS token-exchange endpoint.
STSURL string
// IAMCredentialsHost overrides the iamcredentials host (no trailing slash).
IAMCredentialsHost string
// HTTPClient overrides the HTTP client used for the requests.
HTTPClient *http.Client
}
GCPEndpoints holds the network configuration for GCP STS + impersonation. The zero value uses production GCP endpoints.
type StorageReport ¶
type StorageReport struct {
PlatformStore string
KeychainWritable bool
KeychainDetail string
StoredEnvKeys []string
}
StorageReport summarizes where credentials are stored (no secret values).
func StorageReportFor ¶
func StorageReportFor(ctx context.Context) StorageReport
StorageReportFor returns a credential storage summary for CLI / doctor output.
type Store ¶
type Store interface {
Set(ctx context.Context, account, secret string) error
Get(ctx context.Context, account string) (string, error)
Delete(ctx context.Context, account string) error
}
Store persists provider API secrets outside provider.json.
func DefaultStore ¶
func DefaultStore() Store
DefaultStore returns the process-wide credential store (OS secret service).