secret_rs
| Crates.io | secret_rs |
| lib.rs | secret_rs |
| version | 0.5.0 |
| created_at | 2024-10-11 11:58:25.187438+00 |
| updated_at | 2025-08-25 16:57:10.60738+00 |
| description | a library to embed a secret value into a running binary |
| homepage | |
| repository | https://git.tools.mia-platform.eu/platform/libraries/secrets/secret-rs |
| max_upload_size | |
| id | 1405238 |
| size | 107,766 |
sig-rust-libs (github:mia-platform:sig-rust-libs)
documentation
README
secret_rs
A library that supports injecting file system's secrets or environment variables secrets into a JSON configuration.
The goal of secret_rs is twofold:
- improve the developer experience by centralizing all the application's configuration under the same location, that is allowing access of both secret and unsecreted values within the same data structure
- simplify secret management in the context of cloud-native applications, such as K8s containers
Overview
secret_rs library enables applications to load a JSON configuration file that
may contain references to external secret values without writing them in plaintext.
This is achieved by transparently resolving the external secrets during the deserialization process. Secrets can be read from:
- a plaintext value within the configuration, so that the same interface can be employed also for non-sensitive values
- an environment variable
- the content of a file
- the content of a key within a file (such a
.inior.json)
In addition, when using an environment variable or a file, it is possible to optionally
specify in which encoding the value has been stored.
In this manner, the library can load external secrets saved in a format different from plaintext. At the moment only base64 is supported.
Configuration Examples
In this section are listed all the possible ways a secret can be written within a JSON configuration file:
- as a plain string
{ "secret": "not so secret" } - as a reference to an environment variable
{ "secret": { "type": "env", "key": "MY_SECRET_ENV_VAR_NAME" } } - as a reference to a file (load all its content as secret)
{ "secret": { "type": "file", "path": "/path/to/file" } } - as a reference to a key in a JSON or INI file (load only the key's value as secret)
{ "secret": { "type": "file", "path": "/path/to/file", "key": "MY_SECRET" } }
The application is then able to deserialize all of them using the Secret enum.
use secret_rs::Secret;
use serde::{Deserialize, Serialize};
#[derive(Deserialize, Serialize)]
pub struct AppConfig {
/// my external sensitive value
pub secret: Secret,
}
The value of secret field then can be read using its read() method, which allows
extracting the actual value contained within the deserialized enum.
Watch
The library also supports watching the secret values for changes by listening to file system events. This is useful when the application needs to reload values when they are updated by an external entity.
From configuration it can either be a path:
{
"secret": "/path/to/secret/file"
}
or the same structure as the file-based secret
{
"secret": {
"path": "/path/to/secret/file",
"key": "MY_SECRET"
"encoding": "base64"
}
}
and must deserialize into [SecretWatcher] struct, then a method read() peeks the current value of the secret or a stream can be spawned.
Contributing
More details on how to contribute to this project can be found in CONTRIBUTING.md file.