secretsmanager

package
v1.0.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 21, 2025 License: MIT Imports: 9 Imported by: 0

Documentation

Overview

Package secretsmanager provides helpers for AWS Secrets Manager operations.

Features

  • Get secret values (string or binary)
  • Automatic JSON unmarshaling
  • List secrets with filtering
  • Secret rotation support

Client Creation

Create a client using AWS configuration: 

cfg, err := aws.LoadConfig(ctx, aws.WithRegion("us-west-2"))
if err != nil {
    return err
}

client := secretsmanager.NewClient(cfg)

Basic Operations 

// Get a secret as string
value, err := client.GetSecretString(ctx, "my-secret")

// Get and unmarshal a JSON secret
var config DBConfig
err := client.GetSecretJSON(ctx, "db-credentials", &config)

// List all secrets
secrets, err := client.ListSecrets(ctx)

Testing

For testing, use the interface-based client: 

mock := &MockSecretsManagerAPI{}
client := secretsmanager.NewClientWithAPI(mock)

Index

Constants

This section is empty.

Variables

View Source 
var (
	// ErrSecretNotFound is returned when a secret does not exist.
	ErrSecretNotFound = errors.New("secretsmanager: secret not found")

	// ErrSecretDeleted is returned when accessing a deleted secret.
	ErrSecretDeleted = errors.New("secretsmanager: secret is deleted")

	// ErrAccessDenied is returned when access to a secret is denied.
	ErrAccessDenied = errors.New("secretsmanager: access denied")
)

Common Secrets Manager errors.

Functions

This section is empty.

Types

type API 

type API interface {
	GetSecretValue(ctx context.Context, params *secretsmanager.GetSecretValueInput, optFns ...func(*secretsmanager.Options)) (*secretsmanager.GetSecretValueOutput, error)
	ListSecrets(ctx context.Context, params *secretsmanager.ListSecretsInput, optFns ...func(*secretsmanager.Options)) (*secretsmanager.ListSecretsOutput, error)
	DescribeSecret(ctx context.Context, params *secretsmanager.DescribeSecretInput, optFns ...func(*secretsmanager.Options)) (*secretsmanager.DescribeSecretOutput, error)
	CreateSecret(ctx context.Context, params *secretsmanager.CreateSecretInput, optFns ...func(*secretsmanager.Options)) (*secretsmanager.CreateSecretOutput, error)
	UpdateSecret(ctx context.Context, params *secretsmanager.UpdateSecretInput, optFns ...func(*secretsmanager.Options)) (*secretsmanager.UpdateSecretOutput, error)
	DeleteSecret(ctx context.Context, params *secretsmanager.DeleteSecretInput, optFns ...func(*secretsmanager.Options)) (*secretsmanager.DeleteSecretOutput, error)
}

API defines the Secrets Manager operations used by this package. This interface enables testing with mocks.

type Client 

type Client struct {
	// contains filtered or unexported fields
}

Client provides Secrets Manager operations.

func NewClient 

func NewClient(cfg *aws.Config) (*Client, error)

NewClient creates a new Secrets Manager client with the given configuration.

Example: 

cfg, err := aws.LoadConfig(ctx)
if err != nil {
    return err
}
client := secretsmanager.NewClient(cfg)

func NewClientWithAPI 

func NewClientWithAPI(api API) *Client

NewClientWithAPI creates a client with a custom API implementation. Useful for testing with mocks.

Example: 

mock := &MockSecretsManagerAPI{}
client := secretsmanager.NewClientWithAPI(mock)

func (*Client) API 

func (c *Client) API() API

API returns the underlying Secrets Manager API for direct SDK access.

func (*Client) CreateSecretBinary 

func (c *Client) CreateSecretBinary(ctx context.Context, name string, value []byte, opts ...CreateSecretOption) error

CreateSecretBinary creates a new secret with binary data.

Example: 

err := client.CreateSecretBinary(ctx, "my-cert", certData)

func (*Client) CreateSecretString 

func (c *Client) CreateSecretString(ctx context.Context, name, value string, opts ...CreateSecretOption) error

CreateSecretString creates a new secret with a string value.

Example: 

err := client.CreateSecretString(ctx, "my-secret", "secret-value")

func (*Client) DeleteSecret 

func (c *Client) DeleteSecret(ctx context.Context, name string, opts ...DeleteSecretOption) error

DeleteSecret deletes a secret. By default, secrets have a recovery window of 30 days.

Example: 

err := client.DeleteSecret(ctx, "my-secret")

// Force immediate deletion
err := client.DeleteSecret(ctx, "my-secret", secretsmanager.WithForceDelete())

func (*Client) DescribeSecret 

func (c *Client) DescribeSecret(ctx context.Context, secretName string) (*SecretInfo, error)

DescribeSecret returns metadata about a secret without retrieving its value.

Example: 

info, err := client.DescribeSecret(ctx, "my-secret")
fmt.Printf("Last changed: %v\n", info.LastChangedDate)

func (*Client) GetSecretBinary 

func (c *Client) GetSecretBinary(ctx context.Context, secretName string, opts ...GetSecretOption) ([]byte, error)

GetSecretBinary retrieves a secret value as binary data.

Example: 

certData, err := client.GetSecretBinary(ctx, "tls-certificate")

func (*Client) GetSecretJSON 

func (c *Client) GetSecretJSON(ctx context.Context, secretName string, dest any, opts ...GetSecretOption) error

GetSecretJSON retrieves a secret and unmarshals it into the provided destination. The secret value must be valid JSON.

Example: 

type DBConfig struct {
    Host     string `json:"host"`
    Port     int    `json:"port"`
    Username string `json:"username"`
    Password string `json:"password"`
}

var config DBConfig
err := client.GetSecretJSON(ctx, "db-credentials", &config)

func (*Client) GetSecretString 

func (c *Client) GetSecretString(ctx context.Context, secretName string, opts ...GetSecretOption) (string, error)

GetSecretString retrieves a secret value as a string.

Example: 

apiKey, err := client.GetSecretString(ctx, "api-key")
if errors.Is(err, secretsmanager.ErrSecretNotFound) {
    // Handle not found
}

func (*Client) ListSecretNames 

func (c *Client) ListSecretNames(ctx context.Context, opts ...ListSecretsOption) ([]string, error)

ListSecretNames returns just the names of all secrets.

Example: 

names, err := client.ListSecretNames(ctx)

func (*Client) ListSecrets 

func (c *Client) ListSecrets(ctx context.Context, opts ...ListSecretsOption) ([]SecretInfo, error)

ListSecrets returns all secrets in the account.

Example: 

secrets, err := client.ListSecrets(ctx)
for _, secret := range secrets {
    fmt.Println(secret.Name)
}

func (*Client) UpdateSecretBinary 

func (c *Client) UpdateSecretBinary(ctx context.Context, name string, value []byte) error

UpdateSecretBinary updates an existing secret with new binary data.

Example: 

err := client.UpdateSecretBinary(ctx, "my-cert", newCertData)

func (*Client) UpdateSecretString 

func (c *Client) UpdateSecretString(ctx context.Context, name, value string) error

UpdateSecretString updates an existing secret with a new string value.

Example: 

err := client.UpdateSecretString(ctx, "my-secret", "new-value")

type CreateSecretOption 

type CreateSecretOption func(*createSecretOptions)

CreateSecretOption configures CreateSecret operations.

func WithCreateDescription 

func WithCreateDescription(desc string) CreateSecretOption

WithCreateDescription sets the description for the new secret.

Example: 

err := client.CreateSecretString(ctx, "my-secret", "value", secretsmanager.WithCreateDescription("API key"))

func WithCreateKMSKeyID 

func WithCreateKMSKeyID(keyID string) CreateSecretOption

WithCreateKMSKeyID sets the KMS key for encryption.

Example: 

err := client.CreateSecretString(ctx, "my-secret", "value", secretsmanager.WithCreateKMSKeyID("alias/my-key"))

func WithCreateTags 

func WithCreateTags(tags map[string]string) CreateSecretOption

WithCreateTags sets tags for the new secret.

Example: 

tags := map[string]string{"env": "prod"}
err := client.CreateSecretString(ctx, "my-secret", "value", secretsmanager.WithCreateTags(tags))

type DeleteSecretOption 

type DeleteSecretOption func(*deleteSecretOptions)

DeleteSecretOption configures DeleteSecret operations.

func WithForceDelete 

func WithForceDelete() DeleteSecretOption

WithForceDelete forces immediate deletion without recovery window.

Example: 

err := client.DeleteSecret(ctx, "my-secret", secretsmanager.WithForceDelete())

func WithRecoveryWindow 

func WithRecoveryWindow(days int64) DeleteSecretOption

WithRecoveryWindow sets the number of days before permanent deletion. Default is 30 days, minimum is 7 days.

Example: 

err := client.DeleteSecret(ctx, "my-secret", secretsmanager.WithRecoveryWindow(7))

type GetSecretOption 

type GetSecretOption func(*getSecretOptions)

GetSecretOption configures GetSecret operations.

func WithVersionID 

func WithVersionID(versionID string) GetSecretOption

WithVersionID retrieves a specific version of the secret.

Example: 

value, err := client.GetSecretString(ctx, "my-secret", secretsmanager.WithVersionID("abc123"))

func WithVersionStage 

func WithVersionStage(stage string) GetSecretOption

WithVersionStage retrieves a specific version stage of the secret. Common values: AWSCURRENT (default), AWSPREVIOUS, AWSPENDING.

Example: 

value, err := client.GetSecretString(ctx, "my-secret", secretsmanager.WithVersionStage("AWSPREVIOUS"))

type ListSecretsOption 

type ListSecretsOption func(*listSecretsOptions)

ListSecretsOption configures ListSecrets operations.

func WithMaxResults 

func WithMaxResults(n int32) ListSecretsOption

WithMaxResults limits the number of secrets returned.

Example: 

secrets, err := client.ListSecrets(ctx, secretsmanager.WithMaxResults(10))

func WithNameFilter 

func WithNameFilter(prefix string) ListSecretsOption

WithNameFilter filters secrets by name prefix.

Example: 

secrets, err := client.ListSecrets(ctx, secretsmanager.WithNameFilter("prod/"))

func WithTagFilter 

func WithTagFilter(key, value string) ListSecretsOption

WithTagFilter filters secrets by tag.

Example: 

secrets, err := client.ListSecrets(ctx, secretsmanager.WithTagFilter("env", "production"))

type SecretInfo 

type SecretInfo struct {
	Name             string
	ARN              string
	Description      string
	CreatedDate      time.Time
	LastChangedDate  time.Time
	LastAccessedDate time.Time
	Tags             map[string]string
}

SecretInfo contains metadata about a secret.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.