Documentation
¶
Overview ¶
Package env implements the env:// secret provider for the audit library. Resolves secrets from process environment variables.
Reference syntax ¶
ref+env://VAR_NAME
The path is the variable name and MUST match the POSIX form `[A-Z_][A-Z0-9_]*`. Fragments are not supported and are rejected with an error.
When to use ¶
Use env:// for development, CI, and small deployments where secrets are passed via the process environment. For production Kubernetes deployments, prefer github.com/axonops/audit/secrets/file reading from `/var/run/secrets/...` because env values are visible to any process running as the same UID via `/proc/PID/environ`.
Registration ¶
Blank-import the package to register the provider with the outputconfig loader:
import _ "github.com/axonops/audit/secrets/env"
Threat model ¶
Environment variables are visible to any process running as the same UID via `/proc/PID/environ` (Linux) or equivalent per-platform mechanisms. They also appear in process listings when set via the `env` command at exec time. For stronger isolation use file:// (filesystem permissions on the secret file) or vault/openbao (out-of-process secret store with audit log).
Index ¶
Constants ¶
const Scheme = "env"
Scheme is the URI scheme this provider handles. Use it as the scheme component in `ref+env://VAR_NAME` references.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Provider ¶
type Provider struct{}
Provider implements secrets.SecretProvider for environment- variable secret references. The zero value is ready to use; the provider is stateless and safe for concurrent use by multiple goroutines.
func New ¶
func New() *Provider
New returns a new env:// secret provider. The provider is stateless and accepts no configuration.
func (*Provider) Close ¶
Close is a no-op. The env provider holds no resources to release. Idempotent; safe to call multiple times.
func (*Provider) Resolve ¶
Resolve fetches the value of the environment variable named by ref.Path. Returns secrets.ErrSecretResolveFailed when the variable is unset or set to an empty string. Empty audit secrets are never legitimate, so set-to-empty is treated identically to unset.
The variable name in the input ref is NOT echoed in the error message — knowing which env var your config consults is itself information a log scraper should not gain. Callers wanting to distinguish unset / empty / invalid-name during local debugging should inspect the returned error chain via errors.Is against secrets.ErrSecretResolveFailed and read the diagnostic message in the auditor's slog output (which is typically stderr, not shipped to a log aggregator).
Source Files