The highest tagged major version is
README
¶
GO-KEYVAULT-CERT
go-keyvault-cert is an easy-to-use wrapper around azure-sdk-for-go that allows you to fetch a certificate and key from Azure Key Vault. go-keyvault-cert is ideal for fetching a certificate and key from Azure Key Vault and loading the certificate into your Go application's HTTP server to facilitate TLS to your app/api.
Usage
go get github.com/jfarleyx/go-keyvault-cert
go-keyvault-cert is really easy to use. The simplist way to get started is to utilize Azure client credentials provided as environment variables. The following environment variables and their associated values are required:
AZURE_TENANT_ID: an Azure tenant ID
AZURE_CLIENT_ID: an Azure client ID
AZURE_CLIENT_SECRET: an Azure client secret
Note: The designated Azure client must have the following permissions to Azure Key Vault:
- Certificate permissions: Get & List
- Secret permissions: Get
The environment variables are read by the azure-sdk-for-go when you call the AuthorizeFromEnvironment() method in kvcert.
Here is an simple example of using go-keyvault-cert to fetch a cert & key from AKV and use it in an HTTP server. The global variables KEY_VAULT_NAME & KEY_VAULT_CERT_NAME are used for example purposes only. You can provide strings in place of those two environment variables.
package main
import (
"context"
"crypto/tls"
"log"
"net/http"
"github.com/jfarleyx/go-keyvault-cert"
)
func main() {
// Create new key vault certificate object that will be used to fetch certificate
akv := kvcert.New(os.Getenv("KEY_VAULT_NAME"))
// Authorize access to Azure Key Vault utilizing environment variables mentioned above.
err := akv.AuthorizeFromEnvironment()
if err != nil {
log.Fatalf("Error attempting to authorize azure key vault: %v", err)
}
ctx := context.Background()
// Fetch certificate from Azure Key Vault
kvCert, err := akv.GetCertificate(ctx, os.Getenv("KEY_VAULT_CERT_NAME"))
if err != nil {
log.Fatalf("Error attempting to fetch certificate: %v", err)
}
// Convert cert & key bytes to an x509 key pair
x509Cert, err := tls.x509KeyPair(kvCert.Cert, kvCert.Key)
if err != nil {
log.Fatalf("Unable to create x509 Key Pair from Key Vault Certificate: %v", err)
}
// Add x509 to tls configuration
config := &tls.Config{
Certificates: []tls.Certificates{x509Cert},
}
// Add tls configuration to http server
server := &http.Server{
Addr: ":44366",
TLSConfig: config,
}
server.ListenAndServeTLS("", "")
}
Documentation
¶
Overview ¶
Package kvcert is a simple utility that utilizes the azure-sdk-for-go to fetch a Certificate from Azure Key Vault. The certificate can then be used in your Go web server to support TLS communication.
A trivial example is below. This example uses the following environment variables:
KEY_VAULT_NAME: name of your Azure Key Vault
KEY_VAULT_CERT_NAME: name of your certificate in Azure Key Vault
AZURE_TENANT_ID: azure tenant id (not visible in example, but required by azure-sdk-for-go)
AZURE_CLIENT_ID: azure client id (not visible in example, but required by azure-sdk-for-go)
AZURE_CLIENT_SECRET: azure client secret (not visible in example, but required by azure-sdk-for-go)
package main
import (
"context"
"crypto/tls"
"log"
"net/http"
"github.com/jfarleyx/go-keyvault-cert"
)
func main() {
// Create new key vault certificate object that will be used to fetch certificate
akv := kvcert.New(os.Getenv("KEY_VAULT_NAME"))
// Authorize access to Azure Key Vault utilizing environment variables mentioned above.
err := akv.AuthorizeFromEnvironment()
if err != nil {
log.Fatalf("Error attempting to authorize azure key vault: %v", err)
}
ctx := context.Background()
// Fetch certificate from Azure Key Vault
kvCert, err := akv.GetCertificate(ctx, os.Getenv("KEY_VAULT_CERT_NAME"))
if err != nil {
log.Fatalf("Error attempting to fetch certificate: %v", err)
}
// Convert cert & key bytes to an x509 key pair
x509Cert, err := tls.x509KeyPair(kvCert.Cert, kvCert.Key)
if err != nil {
log.Fatalf("Unable to create x509 Key Pair from Key Vault Certificate: %v", err)
}
// Add x509 to tls configuration
config := &tls.Config{
Certificates: []tls.Certificates{x509Cert},
}
// Add tls configuration to http server
server := &http.Server{
Addr: ":44366",
TLSConfig: config,
}
server.ListenAndServeTLS("", "")
}
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AzureKeyVault ¶
type AzureKeyVault struct {
// VaultName is the name of the Azure Key Vault.
VaultName string
// contains filtered or unexported fields
}
AzureKeyVault is a Key Vault client that facilitates connecting to and communicating with an Azure Key Vault instance.
func New ¶
func New(vaultName string) *AzureKeyVault
New creates and returns a new kvcert.AzureKeyVault struct.
func (*AzureKeyVault) AuthorizeFromEnvironment ¶
func (kv *AzureKeyVault) AuthorizeFromEnvironment() error
AuthorizeFromEnvironment creates a keyvault dataplane Authorizer configured from environment variables in the order: 1. Client credentials 2. Client certificate 3. Username password 4. MSI. See github.com/Azure/azure-sdk-for-go/services/keyvault/auth for more details.
func (*AzureKeyVault) GetCertificate ¶
func (kv *AzureKeyVault) GetCertificate(ctx context.Context, certName string) (*AzureKeyVaultCert, error)
GetCertificate fetches the latest version of a certificate stored in Azure Key Vault Certificates.
type AzureKeyVaultCert ¶
type AzureKeyVaultCert struct {
// Key represents the private key of the certificate
Key []byte
// Cert represents the server certificate
Cert []byte
}
AzureKeyVaultCert contains a private key and the certs associated with that key that were fetched from Azure Key Vault.
Source Files