credentials

package
v0.1.3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 4, 2026 License: MIT Imports: 18 Imported by: 0

Documentation

Overview

Package credentials manages provider API-key storage for eyrie, combining an OS keychain and an env-file store (CombinedStore) and providing migration of legacy env-file and keychain credentials into the current scheme.

Index

Constants

View Source
const (
	// AWSAudience is the OIDC audience AWS STS expects for web-identity federation.
	AWSAudience = "sts.amazonaws.com"
)

audience constants for the OIDC token request.

View Source
const (
	ServiceName = "hawk"
)

Variables

View Source
var ErrKeychainUnavailable = fmt.Errorf("credentials: OS secret store unavailable")

ErrKeychainUnavailable is returned when credentials cannot be stored in the OS secret store.

View Source
var ErrNoOIDC = errors.New("credentials: not running in GitHub Actions (no OIDC)")

ErrNoOIDC is returned by the OIDC convenience helpers when the process is not running inside a GitHub Actions runner, so callers can fall back to other credential sources.

View Source
var ErrNotFound = errors.New("credentials: not found")

Functions

func APIKeysMap

func APIKeysMap(ctx context.Context, store Store) map[string]string

APIKeysMap returns env-keyed secrets for catalog discovery.

func AccountForEnv

func AccountForEnv(envKey string) string

AccountForEnv maps a standard env var to a stable keychain account name.

func CachedKeychainWriteAvailable

func CachedKeychainWriteAvailable(ctx context.Context) (ok bool, detail string)

CachedKeychainWriteAvailable probes keychain write once per process (refreshed periodically).

func DeleteSecret

func DeleteSecret(ctx context.Context, envKey string) error

DeleteSecret removes a stored secret for an env key name.

func DetectGitHubActions

func DetectGitHubActions() bool

DetectGitHubActions reports whether the process is running inside a GitHub Actions runner.

func EnvForAccount

func EnvForAccount(account string) string

EnvForAccount is a best-effort reverse map for loading into process env.

func ExchangeForAWS

func ExchangeForAWS(ctx context.Context, roleARN, region, oidcToken string) (accessKeyID, secretKey, sessionToken string, err error)

ExchangeForAWS exchanges a GitHub OIDC token for temporary AWS credentials via STS AssumeRoleWithWebIdentity. The returned credentials are short-lived and suitable for NewBedrockClient.

func ExchangeForAWSWith

func ExchangeForAWSWith(ctx context.Context, roleARN, region, oidcToken string, ep AWSEndpoints) (accessKeyID, secretKey, sessionToken string, err error)

ExchangeForAWSWith is ExchangeForAWS with injectable endpoints for testing.

func ExchangeForGCP

func ExchangeForGCP(ctx context.Context, audience, serviceAccountEmail, oidcToken string) (accessToken string, err error)

ExchangeForGCP exchanges a GitHub OIDC token for a Google access token via Workload Identity Federation. It first exchanges the OIDC token for a federated access token at the STS endpoint, then impersonates the named service account through iamcredentials generateAccessToken. The returned token is suitable for NewVertexClient.

audience is the full WIF audience, e.g. "//iam.googleapis.com/projects/123/locations/global/workloadIdentityPools/POOL/providers/PROVIDER".

func ExchangeForGCPWith

func ExchangeForGCPWith(ctx context.Context, audience, serviceAccountEmail, oidcToken string, ep GCPEndpoints) (accessToken string, err error)

ExchangeForGCPWith is ExchangeForGCP with injectable endpoints for testing.

func FetchGitHubOIDCToken

func FetchGitHubOIDCToken(ctx context.Context, audience string) (string, error)

FetchGitHubOIDCToken requests an OIDC ID token from the GitHub Actions token service for the given audience. It reads ACTIONS_ID_TOKEN_REQUEST_URL and ACTIONS_ID_TOKEN_REQUEST_TOKEN from the environment (set by the runner when the workflow has `id-token: write` permission).

func FormatStorageReport

func FormatStorageReport(r StorageReport) string

FormatStorageReport returns human-readable credential storage status.

func HasSecret

func HasSecret(ctx context.Context, envKey string) bool

HasSecret reports whether the store has a non-empty secret for an env key name. It is intentionally silent — it is a boolean predicate used in capability checks that iterate the full provider catalog at startup, and any logging here produced dozens of WARN lines on first run with no credentials stored.

func KeychainUnavailableDetail

func KeychainUnavailableDetail() error

KeychainUnavailableDetail returns a detailed error explaining why the keychain is unavailable.

func KeychainWriteAvailable

func KeychainWriteAvailable(ctx context.Context) (ok bool, detail string)

KeychainWriteAvailable reports whether secrets can be persisted to the OS keychain.

func KeyringUnavailableHelp

func KeyringUnavailableHelp() string

KeyringUnavailableHelp explains how to enable secret storage on this OS.

func LookupSecret

func LookupSecret(ctx context.Context, envKey string) string

LookupSecret returns an API key from the OS secret store. It does not read the process environment — use for strict isolation from agents and shell dumps.

On "not found" the function returns ("", nil) and logs at debug level — callers commonly probe for keys that may legitimately be absent. Real backend errors (keychain locked, permission denied, transport failure) are logged at warn.

func MigrateLegacyEnvFile

func MigrateLegacyEnvFile(ctx context.Context) (int, error)

func MigrateLegacyKeychainAccounts

func MigrateLegacyKeychainAccounts(ctx context.Context) (int, error)

MigrateLegacyKeychainAccounts copies secrets from deprecated keychain accounts when the new account is empty.

func PlatformSecretStoreName

func PlatformSecretStoreName() string

PlatformSecretStoreName is the user-facing label for the OS credential backend.

func ResetKeychainWriteCache

func ResetKeychainWriteCache()

ResetKeychainWriteCache clears the write-probe cache (tests).

func ScrubProcessEnv

func ScrubProcessEnv(envKeys []string)

ScrubProcessEnv removes API key env vars from the process (shell inheritance / legacy Setenv).

func SetDefaultStore

func SetDefaultStore(s Store)

SetDefaultStore replaces the process-wide store (tests).

func StorageStatus

func StorageStatus(ctx context.Context) (ok bool, detail string)

StorageStatus reports whether the credential store can be read (and optionally written).

func StoredEnvKeys

func StoredEnvKeys(ctx context.Context) []string

StoredEnvKeys returns env var names that have non-empty secrets in the store.

func VertexTokenFromOIDC

func VertexTokenFromOIDC(ctx context.Context, audience, serviceAccountEmail string) (string, error)

VertexTokenFromOIDC is a convenience helper for setup/deployment.go: it detects GitHub Actions, fetches an OIDC token for the given WIF audience, and exchanges it for a Google access token usable by NewVertexClient. It returns ErrNoOIDC when not running inside GitHub Actions.

Types

type AWSCredentials

type AWSCredentials struct {
	AccessKeyID     string
	SecretAccessKey string
	SessionToken    string
	Region          string
}

AWSCredentials holds temporary AWS credentials from an OIDC exchange.

func BedrockCredentialsFromOIDC

func BedrockCredentialsFromOIDC(ctx context.Context, roleARN, region string) (AWSCredentials, error)

BedrockCredentialsFromOIDC is a convenience helper for setup/deployment.go: it detects GitHub Actions, fetches an OIDC token for the AWS audience, and exchanges it for temporary Bedrock credentials. It returns ErrNoOIDC when not running inside GitHub Actions so callers can fall back to their happy path.

type AWSEndpoints

type AWSEndpoints struct {
	// STSURL overrides the STS endpoint (default https://sts.amazonaws.com/).
	STSURL string
	// HTTPClient overrides the HTTP client used for the request.
	HTTPClient *http.Client
}

AWSEndpoints holds the network configuration for AWS STS exchange. The zero value uses production AWS STS.

type CombinedStore

type CombinedStore struct {
	Keychain Store
	// contains filtered or unexported fields
}

CombinedStore persists secrets in the OS secret store (macOS Keychain / Linux Secret Service).

func NewCombinedStore

func NewCombinedStore() *CombinedStore

func (*CombinedStore) Delete

func (c *CombinedStore) Delete(ctx context.Context, account string) error

func (*CombinedStore) Get

func (c *CombinedStore) Get(ctx context.Context, account string) (string, error)

func (*CombinedStore) Set

func (c *CombinedStore) Set(ctx context.Context, account, secret string) error

type GCPEndpoints

type GCPEndpoints struct {
	// STSURL overrides the STS token-exchange endpoint.
	STSURL string
	// IAMCredentialsHost overrides the iamcredentials host (no trailing slash).
	IAMCredentialsHost string
	// HTTPClient overrides the HTTP client used for the requests.
	HTTPClient *http.Client
}

GCPEndpoints holds the network configuration for GCP STS + impersonation. The zero value uses production GCP endpoints.

type MapStore

type MapStore struct {
	Data map[string]string
	// contains filtered or unexported fields
}

MapStore is an in-memory credential store for tests.

func (*MapStore) Delete

func (m *MapStore) Delete(ctx context.Context, account string) error

func (*MapStore) Get

func (m *MapStore) Get(ctx context.Context, account string) (string, error)

func (*MapStore) Set

func (m *MapStore) Set(ctx context.Context, account, secret string) error

type StorageReport

type StorageReport struct {
	PlatformStore    string
	KeychainWritable bool
	KeychainDetail   string
	StoredEnvKeys    []string
}

StorageReport summarizes where credentials are stored (no secret values).

func StorageReportFor

func StorageReportFor(ctx context.Context) StorageReport

StorageReportFor returns a credential storage summary for CLI / doctor output.

type Store

type Store interface {
	Set(ctx context.Context, account, secret string) error
	Get(ctx context.Context, account string) (string, error)
	Delete(ctx context.Context, account string) error
}

Store persists provider API secrets outside provider.json.

func DefaultStore

func DefaultStore() Store

DefaultStore returns the process-wide credential store (OS secret service).

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL