Documentation ¶
Overview ¶
Copyright 2021 Outreach Corporation. All Rights Reserved.
Description: Stores functions to interact with basic /auth endpoints
Copyright 2021 Outreach Corporation. All Rights Reserved.
Description: Stores functions to interact with basic /auth/approle endpoints
Copyright 2021 Outreach Corporation. All Rights Reserved.
Description: Authentication method for using a token file that stores a Vault token
Copyright 2021 Outreach Corporation. All Rights Reserved.
Description: Stores functions to interact with basic /auth/token endpoints
Copyright 2021 Outreach Corporation. All Rights Reserved.
Description: Implements a http.Transport for authentication
Copyright 2021 Outreach Corporation. All Rights Reserved.
Description: Stores functions to interact with basic kv2 engines
Copyright 2021 Outreach Corporation. All Rights Reserved.
Description: Stores functions/types for options on the Vault client
Copyright 2021 Outreach Corporation. All Rights Reserved.
Description: Stores functions to interact with basic /sys endpoints
Copyright 2021 Outreach Corporation. All Rights Reserved.
Description: Stores functions to interact with basic /sys/policy endpoints
Copyright 2021 Outreach Corporation. All Rights Reserved.
Description: This file is the entrypoint for the vault-client library.
Package vault_client implements a Vault client for use with Vault
Index ¶
- func NewTransport(tr http.RoundTripper, am AuthMethod) http.RoundTripper
- func WithEnv(opts *Options)
- type ApproleAuthMethod
- type ApproleLoginResponse
- type AuthMethod
- type Client
- func (c *Client) ApproleLogin(ctx context.Context, roleID, secretID cfg.SecretData) (*ApproleLoginResponse, error)
- func (c *Client) CreateApprole(ctx context.Context, opts *CreateApproleOptions) error
- func (c *Client) CreateApproleSecretID(ctx context.Context, name string) (*CreateApproleSecretIDResponse, error)
- func (c *Client) CreateAuthMethod(ctx context.Context, opts *CreateAuthMethodOptions) error
- func (c *Client) CreateEngine(ctx context.Context, mountPath string, opts *CreateEngineOptions) error
- func (c *Client) CreateKV2Secret(ctx context.Context, engine, keyPath string, secretData map[string]interface{}) error
- func (c *Client) CreatePolicy(ctx context.Context, name, policy string) error
- func (c *Client) GetApproleRoleID(ctx context.Context, name string) (cfg.SecretData, error)
- func (c *Client) GetKV2Secret(ctx context.Context, engine, keyPath string) (*KV2Secret, error)
- func (c *Client) Health(ctx context.Context) (*HealthResponse, error)
- func (c *Client) Initialize(ctx context.Context, opts *InitializeOptions) (*InitializeResponse, error)
- func (c *Client) ListKV2Secrets(ctx context.Context, engine, keyPath string) ([]string, error)
- func (c *Client) LookupCurrentToken(ctx context.Context) (*LookupTokenResponse, error)
- func (c *Client) LookupToken(ctx context.Context, token cfg.SecretData) (*LookupTokenResponse, error)
- func (c *Client) TransitBatchDecrypt(ctx context.Context, key string, in []string) ([][]byte, error)
- func (c *Client) TransitDecrypt(ctx context.Context, key string, in []byte) ([]byte, error)
- func (c *Client) TransitEncrypt(ctx context.Context, key string, in []byte) ([]byte, error)
- func (c *Client) UpdateKV2Secret(ctx context.Context, engine, keyPath string, secretData map[string]interface{}) error
- type CreateApproleOptions
- type CreateApproleSecretIDResponse
- type CreateAuthMethodOptions
- type CreateEngineOptions
- type ErrorResponse
- type HealthResponse
- type InitializeOptions
- type InitializeResponse
- type KV2Secret
- type LookupTokenResponse
- type Options
- type Opts
- type TokenAuthMethod
- type TokenFileAuthMethod
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func NewTransport ¶
func NewTransport(tr http.RoundTripper, am AuthMethod) http.RoundTripper
New returns a Transport that automatically refreshes Vault authentication and includes it.
The provided tr http.RoundTripper should be shared between multiple clients to ensure reuse of underlying TCP connections.
The returned Transport's RoundTrip method is safe to be used concurrently. nolint:gocritic // Why: We want to ensure the credentials aren't modified
Types ¶
type ApproleAuthMethod ¶
type ApproleAuthMethod struct {
// contains filtered or unexported fields
}
ApproleAuthMethod implements a AuthMethod backed by an approle
func NewApproleAuthMethod ¶
func NewApproleAuthMethod(roleID, secretID cfg.SecretData) *ApproleAuthMethod
NewApproleAuthMethod returns a new ApproleAuthMethod based on the provided roleID and secretID.
func (*ApproleAuthMethod) GetToken ¶
func (a *ApproleAuthMethod) GetToken(ctx context.Context) (cfg.SecretData, time.Time, error)
GetToken returns a token for the current approle
func (*ApproleAuthMethod) Options ¶
func (a *ApproleAuthMethod) Options(o *Options)
type ApproleLoginResponse ¶
type ApproleLoginResponse struct { Auth struct { // LeaseDuration is how long this token lives for in seconds LeaseDuration int `json:"lease_duration"` // Accessor is an accessor that can be used to lookup this token Accessor string `json:"accessor"` // ClientToken is the actual token ClientToken cfg.SecretData `json:"client_token"` // TokenPolicies is a list of policies that are attached to this token TokenPolicies []string `json:"token_policies"` } `json:"auth"` }
ApproleLoginResponse is a response returned by ApproleLogin
type AuthMethod ¶
type AuthMethod interface { // GetToken returns the token to use when talking to Vault GetToken(ctx context.Context) (token cfg.SecretData, expiresAt time.Time, err error) // Options provides the current client options, useful for auth methods // that need an underlying vault client to function. Options(*Options) }
AuthMethod is an authentication method that can be used by a Vault client.
func NewTokenFileAuthMethod ¶
func NewTokenFileAuthMethod(file *string) AuthMethod
NewTokenFileAuthMethod returns a new TokenAuthMethod that uses a file as the backing for a TokenAuthMethod. If the file is not provided the default vault token file is used.
Note: The token is re-read from the file on expiration but currently there is mothing in place to actually renew the token for you.
type Client ¶
type Client struct {
// contains filtered or unexported fields
}
Client is a Vault client
func New ¶
New creates a new Vault client. By default it is non-functional. Most likely it will be consumed like so:
vault_client.New(vault_client.WithEnv)
func (*Client) ApproleLogin ¶
func (c *Client) ApproleLogin(ctx context.Context, roleID, secretID cfg.SecretData) (*ApproleLoginResponse, error)
ApproleLogin creates a new VAULT_TOKEN using the provided approle credentials
func (*Client) CreateApprole ¶
func (c *Client) CreateApprole(ctx context.Context, opts *CreateApproleOptions) error
CreateApprole creates a new approle in Vault
func (*Client) CreateApproleSecretID ¶
func (c *Client) CreateApproleSecretID(ctx context.Context, name string) (*CreateApproleSecretIDResponse, error)
CreateApproleSecretID creates a new secret_id for a given approle
func (*Client) CreateAuthMethod ¶
func (c *Client) CreateAuthMethod(ctx context.Context, opts *CreateAuthMethodOptions) error
CreateAuthMethod creates a new auth method on the given path
func (*Client) CreateEngine ¶
func (c *Client) CreateEngine(ctx context.Context, mountPath string, opts *CreateEngineOptions) error
CreatEngine creates a new engine (mount) in Vault
func (*Client) CreateKV2Secret ¶
func (c *Client) CreateKV2Secret(ctx context.Context, engine, keyPath string, secretData map[string]interface{}) error
CreateKV2Secret creates a new KV2Secret or updates it if it already exists.
func (*Client) CreatePolicy ¶
CreatePolicy creates a new policy
func (*Client) GetApproleRoleID ¶
GetApproleRoleID returns the role-id for a given approle
func (*Client) GetKV2Secret ¶
GetKV2Secret returns a KV2 Secret.
// To get the path `deploy/my/cool/secret` c.GetKV2Secret("deploy", "my/cool/secret")
func (*Client) Health ¶
func (c *Client) Health(ctx context.Context) (*HealthResponse, error)
Health returns the current health, or "status", of a Vault cluster
func (*Client) Initialize ¶
func (c *Client) Initialize(ctx context.Context, opts *InitializeOptions) (*InitializeResponse, error)
Initialize initializes a Vault cluster
func (*Client) ListKV2Secrets ¶ added in v1.10.0
ListKV2Secrets lists all keys in a KV2 engine
func (*Client) LookupCurrentToken ¶
func (c *Client) LookupCurrentToken(ctx context.Context) (*LookupTokenResponse, error)
LookupCurrentToken lookups the current active token (self) and returns information about it.
func (*Client) LookupToken ¶
func (c *Client) LookupToken(ctx context.Context, token cfg.SecretData) (*LookupTokenResponse, error)
LookupToken looks up the provided token and returns information about it
func (*Client) TransitBatchDecrypt ¶ added in v1.8.0
func (c *Client) TransitBatchDecrypt(ctx context.Context, key string, in []string) ([][]byte, error)
TransitBatchDecrypt takes in an array of cyphertext data to be decrypted and returns the corresponding array of plaintext
func (*Client) TransitDecrypt ¶ added in v1.8.0
TransitDecrypt takes ciphertext data to be decrypted and returns the corresponding plaintext.
func (*Client) TransitEncrypt ¶ added in v1.8.0
TransitEncrypt takes plaintext data to be encrypted and returns the corresponding ciphertext.
type CreateApproleOptions ¶
type CreateApproleOptions struct { // Name is the name of the approle to create Name string `json:"-"` TokenTTL string `json:"token_ttl,omitempty"` TokenMaxTTL string `json:"token_max_ttl,omitempty"` TokenPolicies []string `json:"token_policies,omitempty"` Period int `json:"period,omitempty"` BindSecretID bool `json:"bind_secret_id,omitempty"` }
CreateApproleOptions are options to provide to CreateApprole, docs: https://www.vaultproject.io/api/auth/approle#parameters
type CreateApproleSecretIDResponse ¶
type CreateApproleSecretIDResponse struct { SecretIDAccessor string `json:"secret_id_accessor"` SecretID cfg.SecretData `json:"secret_id"` SecretIDTTL int `json:"secret_id_ttl"` }
CreateApproleSecretIDResponse is a new secret_id created by CreateApproleSecretID. See docs here: https://www.vaultproject.io/api/auth/approle#sample-response-4
type CreateAuthMethodOptions ¶
type CreateAuthMethodOptions struct { // Path is the path that this auth method should be mounted on. // If not set, type is used. Path string `json:"-"` // Description is an optional description of this auth method, for humans Description string `json:"description,omitempty"` // Type is the type of auth method to create. Required. // Options: https://www.vaultproject.io/api-docs/system/auth#type Type string `json:"type,omitempty"` // Config is auth method specific options, see: https://www.vaultproject.io/api-docs/system/auth#config Config map[string]interface{} `json:"config,omitempty"` }
CreateAuthMethodOptions are options for creating an auth method with CreateAuthMethod
type CreateEngineOptions ¶
type CreateEngineOptions struct { // Description is an optional description of this auth method, for humans Description string `json:"description,omitempty"` // Type is the type of engine to create. Required. // Options: https://www.vaultproject.io/api-docs/system/mounts#type Type string `json:"type,omitempty"` // Config is auth method specific options, see: https://www.vaultproject.io/api-docs/system/mounts#config Config map[string]interface{} `json:"config,omitempty"` // Options are options specific to the given engine, see: https://www.vaultproject.io/api-docs/system/mounts#options Options map[string]interface{} `json:"options,omitempty"` }
CreateEngineOptions are options to use when creating a new engine (sometimes called a mount)
type ErrorResponse ¶
type ErrorResponse struct { // Errors is a list of errors that were encountered when Vault tried // to process this request. Errors []string `json:"errors"` }
ErrorResponse is returned when an error occurs
type HealthResponse ¶
type HealthResponse struct { Initialized bool `json:"initialized"` Sealed bool `json:"sealed"` Standby bool `json:"standby"` PerformanceStandby bool `json:"performance_standby"` ReplicationPerfMode string `json:"replication_perf_mode"` ReplicationDrMode string `json:"replication_dr_mode"` ServerTimeUtc int `json:"server_time_utc"` Version string `json:"version"` ClusterName string `json:"cluster_name"` ClusterID string `json:"cluster_id"` }
HealthResponse is a response returned by Health. Docs: https://www.vaultproject.io/api/system/health#sample-response
type InitializeOptions ¶
type InitializeOptions struct { int `json:"secret_shares"` // SecretThreshold is how many of the secret shares should be provided // to be able to unseal the Vault. This must not be more than SecretShares. SecretThreshold int `json:"secret_threshold"` // This is only required when Vault is in autounseal mode. RecoveryShares int `json:"recovery_shares,omitempty"` // RecoveryThreshold is how many of the recovery shares should be provided for // an operation that requires the recovery key. RecoveryThreshold int `json:"recovery_threshold,omitempty"` }SecretShares
InitializeOptions are the options to be provided to Initialize()
type InitializeResponse ¶
type InitializeResponse struct { // Keys are the keys returned by the initialization call Keys []string `json:"keys"` // RecoveryKeys are the recovery keys returned by initialization. // These are only present when the underlying Vault configuration is // setup to be auto-unsealed. RecoveryKeys []string `json:"recovery_keys"` // RootToken is the Vault root token returned by the initialization call RootToken string `json:"root_token"` }
InitializeResponse is the response from Initialize()
type KV2Secret ¶
type KV2Secret struct { Metadata struct { // CreatedTime is when this secret was created CreatedTime string `json:"created_time"` // DeletionTime is when this secret was destroyed DeletionTime string `json:"deletion_time"` // Destroyed denotes if this secret was destroyed or not Destroyed bool `json:"destroyed"` // Version is the current version (revision) of this secret Version int `json:"version"` } `json:"metadata"` // Data contains the data that makes up this secret Data map[string]interface{} `json:"data"` }
KV2Secret is a secret from a KV2 engine
type LookupTokenResponse ¶
type LookupTokenResponse struct { Accessor string `json:"accessor"` CreationTime int `json:"creation_time"` CreationTTL int `json:"creation_ttl"` DisplayName string `json:"display_name"` EntityID string `json:"entity_id"` ExpireTime time.Time `json:"expire_time"` ExplicitMaxTTL int `json:"explicit_max_ttl"` ID string `json:"id"` IdentityPolicies []string `json:"identity_policies"` IssueTime string `json:"issue_time"` Meta struct { Username string `json:"username"` } `json:"meta"` NumUses int `json:"num_uses"` Orphan bool `json:"orphan"` Path string `json:"path"` Policies []string `json:"policies"` Renewable bool `json:"renewable"` TTL int `json:"ttl"` }
LookupTokenResponse is the response returned by LookupToken, docs: https://www.vaultproject.io/api/auth/token#sample-response-2
type Options ¶
type Options struct { // Host is the host of the Vault instance Host string // contains filtered or unexported fields }
Options are options associated with a Vault client
type Opts ¶
type Opts func(*Options)
Opts is an functional option for use with New()
func WithAddress ¶
WithAddress sets the host to use when talking to Vault on a Client
func WithApproleAuth ¶
func WithApproleAuth(roleID, secretID cfg.SecretData) Opts
WithApproleAuth sets up approle authentication on a Client
func WithOptions ¶
WithOptions combines a provided options with the client's
func WithTokenAuth ¶
func WithTokenAuth(token cfg.SecretData) Opts
WithTokenAuth sets up token authentication on a Client
func WithTokenFileAuth ¶
WithTokenFileAuth sets up token file auth on a Client
type TokenAuthMethod ¶
type TokenAuthMethod struct {
// contains filtered or unexported fields
}
TokenAuthMethod implements a AuthMethod backed by a static authentication token
func NewTokenAuthMethod ¶
func NewTokenAuthMethod(token cfg.SecretData) *TokenAuthMethod
NewTokenAuthMethod returns a new TokenAuthMethod with the given token
func (*TokenAuthMethod) GetToken ¶
func (a *TokenAuthMethod) GetToken(ctx context.Context) (cfg.SecretData, time.Time, error)
GetToken returns the static token while implementing AuthMethod.GetToken()
func (*TokenAuthMethod) Options ¶
func (*TokenAuthMethod) Options(*Options)
type TokenFileAuthMethod ¶
type TokenFileAuthMethod struct {
// contains filtered or unexported fields
}
TokenFileAuthMethod implements a AuthMethod backed by a static authentication token
func (*TokenFileAuthMethod) GetToken ¶
func (a *TokenFileAuthMethod) GetToken(ctx context.Context) (cfg.SecretData, time.Time, error)
GetToken returns the static token while implementing AuthMethod.GetToken()
func (*TokenFileAuthMethod) Options ¶
func (*TokenFileAuthMethod) Options(*Options)