vector/secrets/
mod.rs

1#![allow(missing_docs)]
2use std::collections::{HashMap, HashSet};
3
4use enum_dispatch::enum_dispatch;
5use vector_lib::configurable::configurable_component;
6
7use crate::{
8    config::{GenerateConfig, SecretBackend},
9    signal,
10};
11
12#[cfg(feature = "secrets-aws-secrets-manager")]
13mod aws_secrets_manager;
14mod directory;
15mod exec;
16mod file;
17mod test;
18
19///	Configuration options to retrieve secrets from external backend in order to avoid storing secrets in plaintext
20/// in Vector config. Multiple backends can be configured. Use `SECRET[<backend_name>.<secret_key>]` to tell Vector to retrieve the secret. This placeholder is replaced by the secret
21/// retrieved from the relevant backend.
22///
23/// When `type` is `exec`, the provided command will be run and provided a list of
24/// secrets to fetch, determined from the configuration file, on stdin as JSON in the format:
25///
26/// ```json
27/// {"version": "1.0", "secrets": ["secret1", "secret2"]}
28/// ```
29///
30/// The executable is expected to respond with the values of these secrets on stdout, also as JSON, in the format:
31///
32/// ```json
33/// {
34///     "secret1": {"value": "secret_value", "error": null},
35///     "secret2": {"value": null, "error": "could not fetch the secret"}
36/// }
37/// ```
38/// If an `error` is returned for any secrets, or if the command exits with a non-zero status code,
39/// Vector will log the errors and exit.
40///
41/// Otherwise, the secret must be a JSON text string with key/value pairs. For example:
42/// ```json
43/// {
44///     "username": "test",
45///     "password": "example-password"
46/// }
47/// ```
48///
49/// If an error occurred while reading the file or retrieving the secrets, Vector logs the error and exits.
50///
51/// Secrets are loaded when Vector starts or if Vector receives a `SIGHUP` signal triggering its
52/// configuration reload process.
53#[allow(clippy::large_enum_variant)]
54#[configurable_component(global_option("secret"))]
55#[derive(Clone, Debug)]
56#[enum_dispatch(SecretBackend)]
57#[serde(tag = "type", rename_all = "snake_case")]
58#[configurable(metadata(
59    docs::enum_tag_description = "secret type",
60    docs::common = false,
61    docs::required = false,
62))]
63pub enum SecretBackends {
64    /// File.
65    File(file::FileBackend),
66
67    /// Directory.
68    Directory(directory::DirectoryBackend),
69
70    /// Exec.
71    Exec(exec::ExecBackend),
72
73    /// AWS Secrets Manager.
74    #[cfg(feature = "secrets-aws-secrets-manager")]
75    AwsSecretsManager(aws_secrets_manager::AwsSecretsManagerBackend),
76
77    /// Test.
78    #[configurable(metadata(docs::hidden))]
79    Test(test::TestBackend),
80}
81
82impl GenerateConfig for SecretBackends {
83    fn generate_config() -> toml::Value {
84        toml::Value::try_from(Self::File(file::FileBackend {
85            path: "path/to/file".into(),
86        }))
87        .unwrap()
88    }
89}
vector/secrets/mod.rs

vector/secrets/
mod.rs
