https://github.com/0xsequence/go-cloudsecrets

Go pkg for hydrating struct secrets from Cloud secret managers
https://github.com/0xsequence/go-cloudsecrets

Last synced: 2 months ago
JSON representation

Go pkg for hydrating struct secrets from Cloud secret managers

• Host: GitHub
• URL: https://github.com/0xsequence/go-cloudsecrets
• Owner: 0xsequence
• License: mit
• Created: 2024-02-16T14:29:46.000Z (over 2 years ago)
• Default Branch: master
• Last Pushed: 2024-12-13T12:32:56.000Z (over 1 year ago)
• Last Synced: 2025-06-24T21:41:18.691Z (12 months ago)
• Language: Go
• Homepage:
• Size: 83 KB
• Stars: 0
• Watchers: 14
• Forks: 1
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# go-cloudsecrets

Go package for hydrating config secrets from Cloud secret providers:

- [x] `gcp` — GCP Secret Manager

- [x] `env` — Environment variables (configurable prefix)

- [x] `nosecrets` — No provider (errors out on any `$SECRET:` value)

```go

provider, _ := gcp.NewSecretsProvider(ctx)

defer provider.Close()

err := cloudsecrets.Hydrate(ctx, provider, &cfg)

```

The `Hydrate()` function recursively walks given `cfg` and replaces all fields matching `"$SECRET:{key}"` string format with a value fetched from the given provider.

All referenced secret keys are de-duplicated and fetched only once.

The `Hydrate()` function tries to replace all fields before returning any error(s). This means that the given struct might be partially hydrated.

## Usage

```go

import (

	"github.com/0xsequence/go-cloudsecrets"

	"github.com/0xsequence/go-cloudsecrets/gcp"

)

var cfg = config.Config{

	DB: &config.DB{

		Database: "postgres",

		Host:     "localhost:5432",

		Username: "sequence",

		Password: "$SECRET:dbPassword", // will be hydrated (replaced by value of "dbPassword" secret)

	},

}

func main() {

	ctx := context.Background()

	provider, err := gcp.NewSecretsProvider(ctx)

	if err != nil {

		log.Fatalf("failed to create secrets provider: %v", err)

	}

	defer provider.Close()

	err = cloudsecrets.Hydrate(ctx, provider, &cfg)

	if err != nil {

		log.Fatalf("failed to hydrate config secrets: %v", err)

	}

	// cfg.DB.Password now contains value of latest "dbPassword" GCP secret

}

```

## License

[MIT](./LICENSE)