Skip to content

Go pkg for hydrating struct secrets from Cloud secret managers

License

Notifications You must be signed in to change notification settings

0xsequence/go-cloudsecrets

Repository files navigation

go-cloudsecrets

Go package for hydrating config secrets from Cloud secret providers:

  • "gcp" GCP Secret Manager
  • "aws" AWS Secrets Manager
  • "" no provider (errors out on any $SECRET: value)
err := cloudsecrets.Hydrate(ctx, "gcp", &cfg)

The Hydrate() function recursively walks given cfg and replaces all fields matching "$SECRET:{key}" string format with a value fetched from Cloud provider.

All referenced secret keys are de-duplicated and fetched only once.

The Hydrate() function tries to replace all fields before returning any error(s). This means that the given struct might be partially hydrated.

Usage

import "github.com/0xsequence/go-cloudsecrets/cloudsecrets"

var cfg = config.Config{
	DB: &config.DB{
		Database: "postgres",
		Host:     "localhost:5432",
		Username: "sequence",
		Password: "$SECRET:dbPassword", // will be hydrated (replaced by value of "dbPassword" secret)
	},
}

func main() {
	err := cloudsecrets.Hydrate(context.Background(), "gcp", &cfg)
	if err != nil {
		log.Fatalf("failed to hydrate config secrets: %v", err)
	}

	// cfg.DB.Password now contains value of latest "dbPassword" GCP secret
}

License

MIT

About

Go pkg for hydrating struct secrets from Cloud secret managers

Resources

License

Stars

Watchers

Forks

Packages

No packages published