Add support for GCP Secret Manager

2025-09-08 10:40:25 +02:00
parent 8e2706784b
commit e4e4bf9be4
6 changed files with 281 additions and 14 deletions
--- a/aws.go
+++ b/aws.go
@@ -4,24 +4,44 @@ import (
 	"context"

 	"github.com/aws/aws-sdk-go-v2/config"
+	"github.com/aws/aws-sdk-go-v2/credentials"
 	"github.com/aws/aws-sdk-go-v2/service/kms"
 	"github.com/aws/aws-sdk-go-v2/service/ssm"
 )

 type awskms struct {
+	options *providerOptions
 	service *kms.Client
 }

-// AWSKeyManagement uses AWS KMS for decrypting blobs.
+// AWSKeyManagementService uses AWS KMS for decrypting blobs.
 //
 // The keys passed in GetSecret are the encrypted blobs and will be converted with [ToBinary].
-func AWSKeyManagement(options ...func(*config.LoadOptions) error) (Provider, error) {
-	config, err := config.LoadDefaultConfig(context.TODO(), options...)
+func AWSKeyManagementService(opts ...Option) (Provider, error) {
+	var options = newProviderOptions(opts...)
+
+	var awsOptions []func(*config.LoadOptions) error
+	if options.clientID != "" {
+		// Configure OAuth
+		awsOptions = append(awsOptions, config.WithCredentialsProvider(credentials.NewStaticCredentialsProvider(options.clientID, options.secretID, "")))
+	}
+	if options.region != "" {
+		awsOptions = append(awsOptions, config.WithRegion(options.region))
+	}
+
+	config, err := config.LoadDefaultConfig(context.Background(), awsOptions...)
 	if err != nil {
 		return nil, err
 	}

-	return awskms{kms.NewFromConfig(config)}, nil
+	if options.region != "" {
+		config.Region = options.region
+	}
+
+	return awskms{
+		options: options,
+		service: kms.NewFromConfig(config),
+	}, nil
 }

 func (p awskms) GetSecret(key string) (value []byte, err error) {