greentic-secrets-core
| Crates.io | greentic-secrets-core |
| lib.rs | greentic-secrets-core |
| version | 0.4.14 |
| created_at | 2025-10-23 06:31:02.516239+00 |
| updated_at | 2026-01-18 18:08:50.451247+00 |
| description | Core runtime and backend orchestration for Greentic secrets. |
| homepage | |
| repository | https://github.com/greentic-ai/greentic-secrets |
| max_upload_size | |
| id | 1896684 |
| size | 276,713 |
Greentic - the greener Agentic AI (greentic-ai)
documentation
README
Greentic Secrets Core
greentic-secrets-core is the embedded runtime that powers the Greentic
secrets platform. It provides a pluggable SecretsCore builder, optional local
cache, and a common trait surface so credential providers can be swapped without
changing application logic.
The library compiles down to a single dependency-free crate by default while
allowing cloud backends to be pulled in behind feature flags. When published to
crates.io the crate name is greentic-secrets-core, but the compiled library
exports as secrets_core for continuity with earlier versions.
Installation
cargo add greentic-secrets-core
By default the crate enables the lightweight env and file backends. You can
opt into additional integrations through feature flags:
| Feature | Purpose | Notes |
|---|---|---|
env (default) |
Pull secrets from process environment variables | No async runtime required |
file (default) |
Read secrets from disk snapshots | Useful for local development |
aws |
AWS Secrets Manager integration | Pair with greentic-secrets-provider-aws-sm |
gcp |
Google Secret Manager integration | Pair with greentic-secrets-provider-gcp-sm |
azure |
Azure Key Vault integration | Pair with greentic-secrets-provider-azure-kv |
k8s |
Kubernetes Secrets integration | Pair with greentic-secrets-provider-k8s |
nats |
Emit invalidation events over NATS | Pulls in tokio and async-nats |
imds |
Access cloud metadata services | Activates reqwest (Rustls TLS only) |
schema |
Generate JSON schema for SecretSpec |
Enables schemars |
xchacha |
Use XChaCha20-Poly1305 envelopes | Optional stronger envelope encryption |
Quick Start
use secrets_core::SecretsCore;
use std::time::Duration;
# tokio::runtime::Runtime::new().unwrap().block_on(async {
let core = SecretsCore::builder()
.tenant("example-tenant")
.default_ttl(Duration::from_secs(600))
.build()
.await?;
let password = core
.get_text("secrets://dev/example-tenant/_/configs/db_password")
.await?;
println!("db_password: {password:?}");
# Ok::<(), secrets_core::Error>(())
# });
See the repository root docs/embedded.md for
configuration knobs (TTL, cache backends, invalidation semantics) and
docs/backends.md for backend mapping rules. Events and
messaging provider secrets use the shared helper APIs documented in
docs/events_messaging_secrets.md; see
examples/provider_secrets.rs for a runnable snippet.
Working with Providers
Cloud-specific providers live in sibling crates (for example
greentic-secrets-provider-aws-sm). Each provider implements
SecretsBackend and KeyProvider, so you can compose the pieces that match
your deployment while still depending on greentic-secrets-core from your
application crate.
[dependencies]
greentic-secrets-core = { version = "0.1", features = ["aws"] }
greentic-secrets-provider-aws-sm = "0.1"
use secrets_core::{SecretsBroker, SecretsCore};
use secrets_provider_aws_sm::build_backend;
let SecretsBroker { backend, key_provider } = build_backend()?;
let core = SecretsCore::builder()
.with_backend(backend)
.with_key_provider(key_provider)
.build()
.await?;
For additional samples, browse the examples/ directory or run
cargo run --example put_get_json inside the workspace.
License
Licensed under the terms of the MIT license.