vector/secrets/mod.rs
1#![allow(missing_docs)]
2use std::collections::{HashMap, HashSet};
3
4use enum_dispatch::enum_dispatch;
5use vector_lib::configurable::configurable_component;
6
7use crate::config::GenerateConfig;
8use crate::{config::SecretBackend, signal};
9
10#[cfg(feature = "secrets-aws-secrets-manager")]
11mod aws_secrets_manager;
12mod directory;
13mod exec;
14mod file;
15mod test;
16
17/// Configuration options to retrieve secrets from external backend in order to avoid storing secrets in plaintext
18/// in Vector config. Multiple backends can be configured. Use `SECRET[<backend_name>.<secret_key>]` to tell Vector to retrieve the secret. This placeholder is replaced by the secret
19/// retrieved from the relevant backend.
20///
21/// When `type` is `exec`, the provided command will be run and provided a list of
22/// secrets to fetch, determined from the configuration file, on stdin as JSON in the format:
23///
24/// ```json
25/// {"version": "1.0", "secrets": ["secret1", "secret2"]}
26/// ```
27///
28/// The executable is expected to respond with the values of these secrets on stdout, also as JSON, in the format:
29///
30/// ```json
31/// {
32/// "secret1": {"value": "secret_value", "error": null},
33/// "secret2": {"value": null, "error": "could not fetch the secret"}
34/// }
35/// ```
36/// If an `error` is returned for any secrets, or if the command exits with a non-zero status code,
37/// Vector will log the errors and exit.
38///
39/// Otherwise, the secret must be a JSON text string with key/value pairs. For example:
40/// ```json
41/// {
42/// "username": "test",
43/// "password": "example-password"
44/// }
45/// ```
46///
47/// If an error occurred while reading the file or retrieving the secrets, Vector logs the error and exits.
48///
49/// Secrets are loaded when Vector starts or if Vector receives a `SIGHUP` signal triggering its
50/// configuration reload process.
51#[allow(clippy::large_enum_variant)]
52#[configurable_component(global_option("secret"))]
53#[derive(Clone, Debug)]
54#[enum_dispatch(SecretBackend)]
55#[serde(tag = "type", rename_all = "snake_case")]
56#[configurable(metadata(
57 docs::enum_tag_description = "secret type",
58 docs::common = false,
59 docs::required = false,
60))]
61pub enum SecretBackends {
62 /// File.
63 File(file::FileBackend),
64
65 /// Directory.
66 Directory(directory::DirectoryBackend),
67
68 /// Exec.
69 Exec(exec::ExecBackend),
70
71 /// AWS Secrets Manager.
72 #[cfg(feature = "secrets-aws-secrets-manager")]
73 AwsSecretsManager(aws_secrets_manager::AwsSecretsManagerBackend),
74
75 /// Test.
76 #[configurable(metadata(docs::hidden))]
77 Test(test::TestBackend),
78}
79
80impl GenerateConfig for SecretBackends {
81 fn generate_config() -> toml::Value {
82 toml::Value::try_from(Self::File(file::FileBackend {
83 path: "path/to/file".into(),
84 }))
85 .unwrap()
86 }
87}