Documentation
¶
Index ¶
- Constants
- Variables
- func IsAzureKeyVaultSecret(id string) bool
- func IsKeyVaultAppReference(s string) bool
- func IsSecretReference(s string) bool
- func IsValidSecretName(kvSecretName string) bool
- func NewAzureKeyVaultSecret(subId, vaultId, secretName string) string
- func ResolveSecretEnvironment(ctx context.Context, kvService KeyVaultService, envVars []string, ...) ([]string, error)
- type AzureKeyVaultSecret
- type KeyVault
- type KeyVaultAppReference
- type KeyVaultService
- type Secret
- type Vault
Constants ¶
const ( RoleIdKeyVaultAdministrator string = resourceIdPathPrefix + "00482a5a-887f-4fb3-b363-3b7fe8e74483" RoleIdKeyVaultSecretsUser string = resourceIdPathPrefix + "4633458b-17de-408a-b874-0445c86b69e6" )
Built-in roles for Key Vault RBAC https://learn.microsoft.com/azure/role-based-access-control/built-in-roles
Variables ¶
var ErrAzCliSecretNotFound = errors.New("secret not found")
Functions ¶
func IsAzureKeyVaultSecret ¶
func IsKeyVaultAppReference ¶ added in v1.23.14
IsKeyVaultAppReference reports whether s uses the @Microsoft.KeyVault(SecretUri=...) format used by Azure App Service and App Configuration for Key Vault references. The prefix check is case-insensitive to match Azure App Service behavior. Only the SecretUri= variant is supported; other forms (e.g., VaultName/SecretName) return false.
func IsSecretReference ¶ added in v1.23.14
IsSecretReference reports whether s is a Key Vault secret reference in either the akvs:// or @Microsoft.KeyVault(SecretUri=...) format.
func IsValidSecretName ¶
func NewAzureKeyVaultSecret ¶
func ResolveSecretEnvironment ¶ added in v1.23.14
func ResolveSecretEnvironment( ctx context.Context, kvService KeyVaultService, envVars []string, defaultSubscriptionId string, ) ([]string, error)
ResolveSecretEnvironment resolves Key Vault secret references in a list of environment variables (in "KEY=VALUE" format). Any value that matches the akvs:// or @Microsoft.KeyVault(SecretUri=...) format is replaced with the resolved secret value. Non-secret values are passed through unchanged.
On failure, individual variables are set to empty values (to avoid leaking raw references), and all errors are collected and returned via errors.Join. The returned env slice is always valid — callers can choose to proceed with partial results or fail based on the error.
Types ¶
type AzureKeyVaultSecret ¶
AzureKeyVaultSecret represents a secret stored in an Azure Key Vault. It contains the necessary information to identify and access the secret.
Fields: - SubscriptionId: The ID of the Azure subscription that contains the Key Vault. - VaultName: The name of the Key Vault where the secret is stored. - SecretName: The name of the secret within the Key Vault.
func ParseAzureKeyVaultSecret ¶
func ParseAzureKeyVaultSecret(akvs string) (AzureKeyVaultSecret, error)
ParseAzureKeyVaultSecret parses a string representing an Azure Key Vault Secret reference and returns an AzureKeyVaultSecret struct if the reference is valid.
The expected format for the Azure Key Vault Secret reference is: "akvs://<subscription-id>/<vault-name>/<secret-name>"
Parameters:
- akvs: A string representing the Azure Key Vault Secret reference.
Returns:
- AzureKeyVaultSecret: A struct containing the subscription ID, vault name, and secret name.
- error: An error if the Azure Key Vault Secret reference is invalid.
type KeyVaultAppReference ¶ added in v1.23.14
type KeyVaultAppReference struct {
// VaultURL is the full vault URL (e.g., "https://my-vault.vault.azure.net").
VaultURL string
// VaultName is the vault name extracted from the host.
VaultName string
// SecretName is the name of the secret.
SecretName string
// SecretVersion is the specific version, or empty for latest.
SecretVersion string
}
KeyVaultAppReference represents a parsed @Microsoft.KeyVault(SecretUri=...) reference.
func ParseKeyVaultAppReference ¶ added in v1.23.14
func ParseKeyVaultAppReference(ref string) (KeyVaultAppReference, error)
ParseKeyVaultAppReference parses an @Microsoft.KeyVault(SecretUri=...) reference.
Expected format:
@Microsoft.KeyVault(SecretUri=https://<vault>.vault.azure.net/secrets/<secret>[/<version>])
type KeyVaultService ¶
type KeyVaultService interface {
GetKeyVault(
ctx context.Context,
subscriptionId string,
resourceGroupName string,
vaultName string,
) (*KeyVault, error)
GetKeyVaultSecret(
ctx context.Context,
subscriptionId string,
vaultName string,
secretName string,
) (*Secret, error)
PurgeKeyVault(ctx context.Context, subscriptionId string, vaultName string, location string) error
ListSubscriptionVaults(ctx context.Context, subscriptionId string) ([]Vault, error)
CreateVault(
ctx context.Context,
tenantId string,
subscriptionId string,
resourceGroupName string,
location string,
vaultName string,
) (Vault, error)
ListKeyVaultSecrets(
ctx context.Context,
subscriptionId string,
vaultName string,
) ([]string, error)
CreateKeyVaultSecret(
ctx context.Context,
subscriptionId string,
vaultName string,
secretName string,
secretValue string,
) error
SecretFromAkvs(ctx context.Context, akvs string) (string, error)
// SecretFromKeyVaultReference resolves a secret reference in either the
// akvs:// or @Microsoft.KeyVault(SecretUri=...) format. The subscriptionId
// is required for credential scoping; for @Microsoft.KeyVault references
// (which lack a subscription), the caller should provide the environment's
// default subscription.
SecretFromKeyVaultReference(ctx context.Context, ref string, defaultSubscriptionId string) (string, error)
}
func NewKeyVaultService ¶
func NewKeyVaultService( credentialProvider account.SubscriptionCredentialProvider, armClientOptions *arm.ClientOptions, coreClientOptions *azcore.ClientOptions, cloud *cloud.Cloud, ) KeyVaultService
NewKeyVaultService creates a new KeyVault service
Source Files