azure

package

v0.23.0 Latest Latest Go to latest Published: Nov 10, 2023 License: AGPL-3.0 Imports: 19 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/minio/kes

Links

Open Source Insights

Documentation ¶

Index ¶

type Credentials
type ManagedIdentity
type Store
- func ConnectWithCredentials(_ context.Context, endpoint string, creds Credentials) (*Store, error)
- func ConnectWithIdentity(_ context.Context, endpoint string, msi ManagedIdentity) (*Store, error)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type Credentials ¶

type Credentials struct {
	TenantID string // The ID of the Azure tenant
	ClientID string // The ID of the Azure client accessing KeyVault
	Secret   string // The secret value of the Azure client
}

Credentials are Azure client credentials to authenticate an application accessing Azure service.

type ManagedIdentity ¶

type ManagedIdentity struct {
	ClientID string // The Azure managed identity client ID
}

ManagedIdentity is an Azure managed identity.

It allows applications running inside Azure to authenticate to Azure services via a managed identity object containing the access credentials.

type Store ¶ added in v0.23.0

type Store struct {
	// contains filtered or unexported fields
}

Store is an Azure KeyVault secret store.

func ConnectWithCredentials ¶

func ConnectWithCredentials(_ context.Context, endpoint string, creds Credentials) (*Store, error)

ConnectWithCredentials tries to establish a connection to a Azure KeyVault instance using Azure client credentials.

func ConnectWithIdentity ¶

func ConnectWithIdentity(_ context.Context, endpoint string, msi ManagedIdentity) (*Store, error)

ConnectWithIdentity tries to establish a connection to a Azure KeyVault instance using an Azure managed identity.

func (*Store) Close ¶ added in v0.23.0

func (s *Store) Close() error

Close closes the Store.

func (*Store) Create ¶ added in v0.23.0

func (s *Store) Create(ctx context.Context, name string, value []byte) error

Create creates the given key-value pair as KeyVault secret.

Since KeyVault does not support an atomic create resp. create-only-if-not-exists, Create cannot exclude data race situations when multiple clients try to create the same secret at the same time.

However, Create checks whether a secret with the given name exists, and if it does, returns kes.ErrKeyExists.

Further, a secret may not exist but may be in a soft delete state. In this case, Create tries to purge the deleted secret and then tries to create it. However, KeyVault purges deleted secrets in the background such that an incoming create fails with HTTP 409 Conflict. Therefore, Create tries to create the secret multiple times after purging but will eventually give up and fail. However, a subsequent create may succeed once KeyVault has purged the secret completely.

func (*Store) Delete ¶ added in v0.23.0

func (s *Store) Delete(ctx context.Context, name string) error

Delete deletes and purges the secret from KeyVault.

A full delete is a two-step process. So, Delete first tries to delete and then purge the (soft) deleted secret. However, KeyVault may return success even though it hasn't completed the (soft) deletion process. A subsequent purge operation may tmp. fail with HTTP 409 conflict.

Therefore, Delete retries to purge a deleted secret multiple times. However, it will not return an error when all attempts fail with HTTP 409 since KeyVault will eventually catch up and purge the secret. Further, a subsequent Create operation will also try to purge the secret.

Since KeyVault only supports two-steps deletes, KES cannot guarantee that a Delete operation has atomic semantics.

func (*Store) Get ¶ added in v0.23.0

func (s *Store) Get(ctx context.Context, name string) ([]byte, error)

Get returns the first resp. oldest version of the secret. It returns kes.ErrKeyNotFound if no such secret exists.

Since Get has to fetch and filter the secrets versions first before actually accessing the secret, Get may return inconsistent responses when the secret is modified concurrently.

func (*Store) List ¶ added in v0.23.0

func (s *Store) List(ctx context.Context, prefix string, n int) ([]string, string, error)

List returns a new Iterator over the names of all stored keys. List returns the first n key names, that start with the given prefix, and the next prefix from which the listing should continue.

It returns all keys with the prefix if n < 0 and less than n names if n is greater than the number of keys with the prefix.

An empty prefix matches any key name. At the end of the listing or when there are no (more) keys starting with the prefix, the returned prefix is empty

func (*Store) Set ¶ added in v0.23.0

func (s *Store) Set(ctx context.Context, name string, value []byte) error

Set creates the given key-value pair as KeyVault secret.

Since KeyVault does not support an atomic create resp. create-only-if-not-exists, Set cannot exclude data race situations when multiple clients try to create the same secret at the same time.

However, Set checks whether a secret with the given name exists, and if it does, returns kes.ErrKeyExists.

Further, a secret may not exist but may be in a soft delete state. In this case, Set tries to purge the deleted secret and then tries to create it. However, KeyVault purges deleted secrets in the background such that an incoming create fails with HTTP 409 Conflict. Therefore, Set tries to create the secret multiple times after purging but will eventually give up and fail. However, a subsequent create may succeed once KeyVault has purged the secret completely.

func (*Store) Status ¶ added in v0.23.0

func (s *Store) Status(ctx context.Context) (kes.KeyStoreState, error)

Status returns the current state of the Azure KeyVault instance. In particular, whether it is reachable and the network latency.

func (*Store) String ¶ added in v0.23.0

func (s *Store) String() string

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL