secrets

package module
v1.1.6 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 14, 2026 License: MIT Imports: 8 Imported by: 26

README

Go Reference GitHub go.mod Go version GitHub release (latest by date) Go Report Card Actions Status

go-secrets

A Go library that provides a unified interface for reading secrets from multiple backends. Switch between environment variables, Docker/Kubernetes mounted secrets, and credentials files without changing application code.

Installation

go get github.com/tommzn/go-secrets

Backends

Backend Constructor Use case
Environment variables NewSecretsManager() Default; twelve-factor apps
Docker / Kubernetes NewDockerSecretsManager(path) Mounted secret files in containers
Credentials file NewFileSecretsManager(file) Local development, CI runners
Static (in-memory) NewStaticSecretsManager(map) Unit tests

All backends implement the same interface:

type SecretsManager interface {
    Obtain(key string) (*string, error)
}

Obtain returns a pointer to the secret value, or a *SecretNotFoundError when the key does not exist.

Usage

Environment variables
manager := secrets.NewSecretsManager()

value, err := manager.Obtain("DATABASE_URL")
if err != nil {
    // handle *secrets.SecretNotFoundError
}
fmt.Println(*value)

Key lookup is case-insensitive: Obtain("db_password") also matches DB_PASSWORD and Db_Password (the environment manager tries the original key, lowercase, and uppercase variants).

Docker / Kubernetes mounted secrets
// Use the default mount path /run/secrets
manager := secrets.NewDockerSecretsManager(secrets.DOCKER_SECRETS_PATH)

// Or a custom path
manager = secrets.NewDockerSecretsManager("/var/run/secrets/myapp")

value, err := manager.Obtain("db-password")

Each secret must be a separate file inside the secrets directory. The filename is the key. Key lookup is case-insensitive (the original key, lowercase, and uppercase variants are tried).

Credentials file
// ~ is expanded to the current user's home directory
manager := secrets.NewFileSecretsManager("~/.credentials")

value, err := manager.Obtain("db_password")

Credentials file format — one entry per line, key and base64-encoded value separated by ::

db_password:cGFzc3dvcmQxMjM=
api_key:c2VjcmV0a2V5eHl6

Encode a value:

echo -n "mysecretvalue" | base64

Security requirements for the credentials file:

  • Permissions must be 0600 or stricter (no group or world read/write/execute; owner must have read access)
  • The path must not be a symlink
  • Key lookup in credentials files is case-sensitive — the key in the file must match exactly.
Static (for tests)
manager := secrets.NewStaticSecretsManager(map[string]string{
    "API_KEY": "test-key-123",
    "DB_URL":  "postgres://localhost/testdb",
})

value, err := manager.Obtain("API_KEY")

// Remove all secrets from memory when done
manager.(*secrets.StaticSecretsManager).Clear()
Export secrets to environment variables

ExportToEnvironment loads a list of secrets by key and sets each one as an environment variable. Keys that cannot be found are silently skipped.

manager := secrets.NewSecretsManager()
secrets.ExportToEnvironment([]string{"API_KEY", "DB_PASSWORD"}, manager)
Select backend from configuration

The library integrates with go-config. Set secrets.source in your config file to select a backend:

secrets:
  source: docker
  path: /run/secrets
conf, _ := config.NewFileConfigSource(&configFile).Load()
manager := secrets.NewSecretsManagerByConfig(conf)

Supported values for secrets.source:

Value Backend
docker DockerSecretsManager using path from secrets.path (default: /run/secrets)
(absent) EnvironmentSecretsManager

Error handling

value, err := manager.Obtain("MISSING_KEY")
if err != nil {
    var notFound *secrets.SecretNotFoundError
    if errors.As(err, &notFound) {
        // key does not exist in this backend
    }
}

Security notes

  • Credentials file: rejected if it has group or world permissions, or if the path resolves to a symlink.
  • Docker backend: key names containing path separators (/, \) or traversal sequences (., ..) are rejected to prevent directory traversal attacks.
  • Error messages: secret key names are never included in error messages to avoid leaking them into logs.
  • Base64 in credentials files is encoding, not encryption. Protect the file with filesystem permissions and avoid committing it to version control.

License

MIT

Documentation

Overview

Package secrets provides a generic interface to obtain secrets from different sources.

Index

Constants

View Source
const DEFAULT_SECRETS_FILE = "~/.credentials"

DEFAULT_SECRETS_FILE defines default path to a credentials file.

View Source
const DOCKER_SECRETS_PATH = "/run/secrets"

DOCKER_SECRETS_PATH defines the default path to look for mounted secrets in Docker or K8s.

Variables

This section is empty.

Functions

func ExportToEnvironment

func ExportToEnvironment(keys []string, manager SecretsManager)

ExportToEnvironment will export secrets identified by given keys to environment variables.

Types

type DockerSecretsManager

type DockerSecretsManager struct {
	// contains filtered or unexported fields
}

DockerSecretsManager will read secrets from files mounted by Docker or K8s.

func (*DockerSecretsManager) Obtain

func (s *DockerSecretsManager) Obtain(key string) (*string, error)

Obtain will try to read secrets from mounted secrets files.

type EnvironmentSecretsManager

type EnvironmentSecretsManager struct {
}

EnvironmentSecretsManager will read secrets from environment variables.

func (*EnvironmentSecretsManager) Obtain

func (s *EnvironmentSecretsManager) Obtain(key string) (*string, error)

Obtain will try to read a secrets from environment variable defined by passed key.

type FileSecretsManager added in v1.1.0

type FileSecretsManager struct {
	// contains filtered or unexported fields
}

FileSecretsManager reads secrets from defined file. Secrets have to be added as key:value pair in this credentials file.

func (*FileSecretsManager) Obtain added in v1.1.0

func (s *FileSecretsManager) Obtain(key string) (*string, error)

Obtain will try to read secret from defined credentials file. Expects secrets as a key:value pair, separator is ":", where secrets value is base64 encoded.

type SecretNotFoundError added in v1.1.1

type SecretNotFoundError struct {
	// contains filtered or unexported fields
}

SecretNotFoundError is returned when a requested secret key does not exist in the underlying secrets source.

func (*SecretNotFoundError) Error added in v1.1.1

func (e *SecretNotFoundError) Error() string

Error implements the error interface.

type SecretsManager

type SecretsManager interface {

	// Obtain will try to read a secret for given key.
	Obtain(key string) (*string, error)
}

SecretsManager is a generic interface to read secrets from different sources.

func NewDockerSecretsManager added in v1.1.5

func NewDockerSecretsManager(secretsPath string) SecretsManager

NewDockerSecretsManager returns a new secrets manager for Docker or K8s.

func NewDockerecretsManager deprecated

func NewDockerecretsManager(secretsPath string) SecretsManager

NewDockerecretsManager is deprecated: use NewDockerSecretsManager instead.

Deprecated: Use NewDockerSecretsManager.

func NewFileSecretsManager added in v1.1.0

func NewFileSecretsManager(fileName string) SecretsManager

NewFileSecretsManager returns a new secrets manager for the given credentials file. A leading ~/ in the path is expanded to the current user's home directory.

func NewSecretsManager

func NewSecretsManager() SecretsManager

NewSecretsManager returns a new default secrets manager, which will read secrets from environment variables.

func NewSecretsManagerByConfig

func NewSecretsManagerByConfig(conf config.Config) SecretsManager

NewSecretsManagerByConfig will create a new secrets manager by given config. If there's no config values for secrets, a default secrets manager will be returned.

func NewStaticSecretsManager

func NewStaticSecretsManager(secrets map[string]string) SecretsManager

NewStaticSecretsManager returns a secrets manager which contains passed secrets. Useful e.g. for testing.

type StaticSecretsManager

type StaticSecretsManager struct {
	// contains filtered or unexported fields
}

StaticSecretsManager will manage secrets by internal map.

func (*StaticSecretsManager) Clear added in v1.1.6

func (s *StaticSecretsManager) Clear()

Clear removes all secrets from the internal map to minimize secret lifetime in memory.

func (*StaticSecretsManager) Obtain

func (s *StaticSecretsManager) Obtain(key string) (*string, error)

Obtain will try to get a secrets from internal map by given key.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL