Library provides following crates:
Library provides the native support for the secrets coming to your application from external sources: - Google Cloud Secret Manager - Amazon Secrets Manager
Cargo.toml:
toml
[dependencies]
secret-vault = { version = "0.4.<x>", features=["..."] }
secret-vault-type = { version = "0.1.<x>", features=["..."] }
See security consideration below about versioning.
gcloud-secretmanager for Google Secret Manager supportaws-secretmanager for Amazon Secret Manager supportencrypted-ring for encryption supportgcloud-kms-encryption for Google KMS envelope encryption supportserde for serde serialization supportserde for serde serialization supportprost for protobuf serialization support```rust
// Describing secrets and marking them non-required // since this is only example and they don't exist in your project let secret1 = SecretVaultRef::new("test-secret1".into()).withrequired(false); let secret2 = SecretVaultRef::new("test-secret2".into()) .withsecretversion("1".into()) .withrequired(false);
// Building the vault let mut vault = SecretVaultBuilder::withsource( gcp::GoogleSecretManagerSource::new(&configenvvar("PROJECTID")?).await?, ) .withencryption(ringencryption::SecretVaultRingAeadEncryption::new()?) .build()?;
// Registering your secrets and receiving them from source vault .registersecretsrefs(vec![&secret1, &secret2]) .refresh() .await?;
// Reading the secret values
let secret: Option
println!("Received secret: {:?}", secret);
// Using the Viewer API to share only methods able to read secrets let vaultviewer = vault.viewer(); vaultviewer.getsecretby_ref(&secret2).await?;
```
To run this example use with environment variables: ```
```
All examples available at secret-vault/examples directory.
Open source code is created through voluntary collaboration of software developers. The original authors license the code so that anyone can see it, modify it, and distribute new versions of it. You should manage all OSS using the same procedures and tools that you use for commercial products. As always, train your employees on cyber security best practices that can help them securely use and manage software products. You should not solely rely on individuals, especially on the projects like this reading sensitive information.
Please don't use broad version dependency management not to include a new version of dependency automatically without your auditing the changes.
Don't expose all of your secrets to the apps. Use IAM and different service accounts to give access only on as-needed basis.
There are still allocations on the protocol layers, there is a session secret key available in memory, privileged users on OS still have broad access, etc. So don't consider this is a completely safe solution for all possible attacks. Mitigation some of the attacks is not possible without implementing additional support on hardware/OS level (such as Intel SGX project, for instance).
The comparison between reading performance of encrypted and non-encrypted vault:
``` read-secrets-perf-simple-vault time: [126.47 ns 126.70 ns 126.99 ns]
read-secrets-perf-encrypted-vault time: [292.15 ns 292.97 ns 293.95 ns] ```
Apache Software License (ASL)
Abdulla Abdurakhmanov