vector/secrets/
mod.rs

1#![allow(missing_docs)]
2use std::collections::{HashMap, HashSet};
3
4use enum_dispatch::enum_dispatch;
5use vector_lib::configurable::configurable_component;
6
7use crate::config::GenerateConfig;
8use crate::{config::SecretBackend, signal};
9
10#[cfg(feature = "secrets-aws-secrets-manager")]
11mod aws_secrets_manager;
12mod directory;
13mod exec;
14mod file;
15mod test;
16
17///	Configuration options to retrieve secrets from external backend in order to avoid storing secrets in plaintext
18/// in Vector config. Multiple backends can be configured. Use `SECRET[<backend_name>.<secret_key>]` to tell Vector to retrieve the secret. This placeholder is replaced by the secret
19/// retrieved from the relevant backend.
20///
21/// When `type` is `exec`, the provided command will be run and provided a list of
22/// secrets to fetch, determined from the configuration file, on stdin as JSON in the format:
23///
24/// ```json
25/// {"version": "1.0", "secrets": ["secret1", "secret2"]}
26/// ```
27///
28/// The executable is expected to respond with the values of these secrets on stdout, also as JSON, in the format:
29///
30/// ```json
31/// {
32///     "secret1": {"value": "secret_value", "error": null},
33///     "secret2": {"value": null, "error": "could not fetch the secret"}
34/// }
35/// ```
36/// If an `error` is returned for any secrets, or if the command exits with a non-zero status code,
37/// Vector will log the errors and exit.
38///
39/// Otherwise, the secret must be a JSON text string with key/value pairs. For example:
40/// ```json
41/// {
42///     "username": "test",
43///     "password": "example-password"
44/// }
45/// ```
46///
47/// If an error occurred while reading the file or retrieving the secrets, Vector logs the error and exits.
48///
49/// Secrets are loaded when Vector starts or if Vector receives a `SIGHUP` signal triggering its
50/// configuration reload process.
51#[allow(clippy::large_enum_variant)]
52#[configurable_component(global_option("secret"))]
53#[derive(Clone, Debug)]
54#[enum_dispatch(SecretBackend)]
55#[serde(tag = "type", rename_all = "snake_case")]
56#[configurable(metadata(
57    docs::enum_tag_description = "secret type",
58    docs::common = false,
59    docs::required = false,
60))]
61pub enum SecretBackends {
62    /// File.
63    File(file::FileBackend),
64
65    /// Directory.
66    Directory(directory::DirectoryBackend),
67
68    /// Exec.
69    Exec(exec::ExecBackend),
70
71    /// AWS Secrets Manager.
72    #[cfg(feature = "secrets-aws-secrets-manager")]
73    AwsSecretsManager(aws_secrets_manager::AwsSecretsManagerBackend),
74
75    /// Test.
76    #[configurable(metadata(docs::hidden))]
77    Test(test::TestBackend),
78}
79
80impl GenerateConfig for SecretBackends {
81    fn generate_config() -> toml::Value {
82        toml::Value::try_from(Self::File(file::FileBackend {
83            path: "path/to/file".into(),
84        }))
85        .unwrap()
86    }
87}
vector/secrets/mod.rs

vector/secrets/
mod.rs
