47b202554e
This commit adds the Azure SDK for Azure key vault KMS integration to the Ceph CSI driver. Signed-off-by: Praveen M <m.praveen@ibm.com> |
||
---|---|---|
.. | ||
assets.json | ||
autorest.md | ||
build.go | ||
CHANGELOG.md | ||
ci.yml | ||
client.go | ||
custom_client.go | ||
LICENSE.txt | ||
models_serde.go | ||
models.go | ||
options.go | ||
README.md | ||
response_types.go | ||
test-resources.json | ||
time_unix.go | ||
TROUBLESHOOTING.md | ||
version.go |
Azure Key Vault Secrets client module for Go
Azure Key Vault helps solve the following problems:
- Secrets management (this module) - securely store and control access to tokens, passwords, certificates, API keys, and other secrets
- Managed HSM administration (azadmin) - role-based access control (RBAC), settings, and vault-level backup and restore options
- Certificate management (azcertificates) - create, manage, and deploy public and private SSL/TLS certificates
- Cryptographic key management (azkeys) - create, store, and control access to the keys used to encrypt your data
Source code | Package (pkg.go.dev) | Product documentation | Samples
Getting started
Install packages
Install azsecrets
and azidentity
with go get
:
go get github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets
go get github.com/Azure/azure-sdk-for-go/sdk/azidentity
azidentity is used for Azure Active Directory authentication as demonstrated below.
Prerequisites
- An Azure subscription
- A supported Go version (the Azure SDK supports the two most recent Go releases)
- A key vault. If you need to create one, see the Key Vault documentation for instructions on doing so in the Azure Portal or with the Azure CLI.
Authentication
This document demonstrates using azidentity.NewDefaultAzureCredential to authenticate. This credential type works in both local development and production environments. We recommend using a managed identity in production.
Client accepts any azidentity credential. See the azidentity documentation for more information about other credential types.
Create a client
Constructing the client also requires your vault's URL, which you can get from the Azure CLI or the Azure Portal.
import (
"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
"github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets"
)
func main() {
cred, err := azidentity.NewDefaultAzureCredential(nil)
if err != nil {
// TODO: handle error
}
client := azsecrets.NewClient("https://<TODO: your vault name>.vault.azure.net", cred, nil)
}
Key concepts
Secret
A secret consists of a secret value and its associated metadata and management information. This library handles secret values as strings, but Azure Key Vault doesn't store them as such. For more information about secrets and how Key Vault stores and manages them, see the Key Vault documentation.
azseecrets.Client
can set secret values in the vault, update secret metadata, and delete secrets, as shown in the examples below.
Examples
Get started with our examples.
Troubleshooting
Error Handling
All methods which send HTTP requests return *azcore.ResponseError
when these requests fail. ResponseError
has error details and the raw response from Key Vault.
import "github.com/Azure/azure-sdk-for-go/sdk/azcore"
resp, err := client.GetSecret(context.Background(), "secretName", nil)
if err != nil {
var httpErr *azcore.ResponseError
if errors.As(err, &httpErr) {
// TODO: investigate httpErr
} else {
// TODO: not an HTTP error
}
}
Logging
This module uses the logging implementation in azcore
. To turn on logging for all Azure SDK modules, set AZURE_SDK_GO_LOGGING
to all
. By default the logger writes to stderr. Use the azcore/log
package to control log output. For example, logging only HTTP request and response events, and printing them to stdout:
import azlog "github.com/Azure/azure-sdk-for-go/sdk/azcore/log"
// Print log events to stdout
azlog.SetListener(func(cls azlog.Event, msg string) {
fmt.Println(msg)
})
// Includes only requests and responses in logs
azlog.SetEvents(azlog.EventRequest, azlog.EventResponse)
Accessing http.Response
You can access the raw *http.Response
returned by Key Vault using the runtime.WithCaptureResponse
method and a context passed to any client method.
import "github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime"
var response *http.Response
ctx := runtime.WithCaptureResponse(context.TODO(), &response)
_, err = client.GetSecret(ctx, "secretName", nil)
if err != nil {
// TODO: handle error
}
// TODO: do something with response
Additional Documentation
See the API reference documentation for complete documentation of this module.
Contributing
This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.microsoft.com.
When you submit a pull request, a CLA-bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.
This project has adopted the Microsoft Open Source Code of Conduct. For more information, see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.