Expand description
§vaultrs
An asynchronous Rust client library for the Hashicorp Vault API.
§Usages
§AWS
The library currently supports all operations available for the AWS Secret Engine.
See aws tests for more examples.
use vaultrs::sys::mount;
use vaultrs::aws;
use vaultrs::api::aws::requests::{SetConfigurationRequest, CreateUpdateRoleRequest, GenerateCredentialsRequest};
// Mount AWS SE
mount::enable(&client, "aws_test", "aws", None).await?;
// Configure AWS SE
aws::config::set(&client, "aws_test", "access_key", "secret_key", Some(SetConfigurationRequest::builder()
.max_retries(3)
.region("eu-central-1")
)).await?;
// Create HVault role
aws::roles::create_update(&client, "aws_test", "my_role", "assumed_role", Some(CreateUpdateRoleRequest::builder()
.role_arns( vec!["arn:aws:iam::123456789012:role/test_role".to_string()] )
)).await?;
// Generate credentials
let res = aws::roles::credentials(&client, "aws_test", "my_role", Some(GenerateCredentialsRequest::builder()
.ttl("3h")
)).await?;
let creds = res;
// creds.access_key
// creds.secret_key
// creds.security_token§Key Value v2
The library currently supports all operations available for version 2 of the key/value store.
use serde::{Deserialize, Serialize};
use vaultrs::kv2;
// Create and read secrets
#[derive(Debug, Deserialize, Serialize)]
struct MySecret {
key: String,
password: String,
}
let secret = MySecret {
key: "super".to_string(),
password: "secret".to_string(),
};
kv2::set(
&client,
"secret",
"mysecret",
&secret,
).await;
let secret: MySecret = kv2::read(&client, "secret", "mysecret").await.unwrap();
println!("{}", secret.password); // "secret"§Key Value v1
The library currently supports all operations available for version 1 of the key/value store.
use vaultrs::kv1;
use std::collections::HashMap;
let my_secrets = HashMap::from([
("key1", "value1"),
("key2", "value2")
]);
kv1::set(&client, "secret", "my/secrets", &my_secrets).await.unwrap();
let read_secrets: HashMap<String, String> = kv1::get(&client, "secret", "my/secrets").await.unwrap();
println!("{:}", read_secrets.get("key1").unwrap()); // value1
let list_secret = kv1::list(&client, "secret", "my").await.unwrap();
println!("{:?}", list_secret.data.keys); // [ "secrets" ]
kv1::delete(&client, "secret", "my/secrets").await.unwrap();§PKI
The library currently supports all operations available for the PKI secrets engine.
use vaultrs::api::pki::requests::GenerateCertificateRequest;
use vaultrs::pki::cert;
// Generate a certificate using the PKI backend
let cert = cert::generate(
&client,
"pki",
"my_role",
Some(GenerateCertificateRequest::builder().common_name("test.com")),
).await?;
println!("{}", cert.certificate); // "{PEM encoded certificate}"§Transit
The library supports most operations for the
Transit secrets engine,
other than importing keys or batch_input parameters.
use vaultrs::api::transit::requests::CreateKeyRequest;
use vaultrs::api::transit::KeyType;
use vaultrs::transit::key;
// Create an encryption key using the /transit backend
key::create(
&client,
"transit",
"my-transit-key",
Some(CreateKeyRequest::builder()
.derived(true)
.key_type(KeyType::Aes256Gcm96)
.auto_rotate_period("30d")),
).await.unwrap();§Wrapping
All requests implement the ability to be wrapped. These can be passed in your application internally before being unwrapped.
use vaultrs::api::ResponseWrapper;
use vaultrs::api::sys::requests::ListMountsRequest;
let endpoint = ListMountsRequest::builder().build().unwrap();
let wrap_resp = endpoint.wrap(&client).await; // Wrapped response
assert!(wrap_resp.is_ok());
let wrap_resp = wrap_resp.unwrap(); // Unwrap Result<>
let info = wrap_resp.lookup(&client).await; // Check status of this wrapped response
assert!(info.is_ok());
let unwrap_resp = wrap_resp.unwrap(&client).await; // Unwrap the response
assert!(unwrap_resp.is_ok());
let info = wrap_resp.lookup(&client).await; // Error: response already unwrapped
assert!(info.is_err());Modules§
- Identity secrets engine