caddy-security question: Using secrets plugins

I saw references to the secrets configuration section and found caddy-security-secrets-aws-secrets-manager.

Based on that, I was planning to write a secrets plugin for integrating with Azure Key Vault, but decided to test out the above AWS plugin first. I was able to build caddy-security-secrets-aws-secrets-manager after updating some of the aws sdk dependencies and used the example config as a starting point. When running caddy I see messages about the security.secrets.aws_secrets_manager plugin being provisioned and validated, however none of the configuration values where I used "secrets:..." seem to be populated from secrets manager.

Is the plugin system for secrets functional?

Aug 21 '25 22:08 adg-mh

@adg-mh , this separate repo was an attempt to make “plugin of plugin” thin. i.e. if anyone wants to extend caddy-security, they can then create their own repo with the plugin.

In your case, you would create “caddy-security-secrets-azure-key-vault” and implement similar interface as aws secrets manager.

Aug 22 '25 19:08 greenpau

Thanks for your quick reply.

That was my plan, but I can't get the existing caddy-security-secrets-aws-secrets-manager plugin to work as a reference.

The logs show the caddy-security-secrets-aws-secrets-manager plugin is provisioned/validated, but I don't see where GetSecret/GetSecretByKey are ever used in caddy-security & I don't see that the "secrets:..." values are ever substituted. So, I wasn't sure the interface was finished.

Aug 22 '25 19:08 adg-mh

@adg-mh , share your repo where you are implementing azure vault. Also, are you building by referencing your repo as a plugin?

Aug 22 '25 19:08 greenpau

@adg-mh , also, share some info about yourself. Don’t like to deal with ghosts.

Aug 22 '25 19:08 greenpau

I haven't started building the azure key vault plugin yet. I'm first attempting to get your existing caddy-security-secrets-aws-secrets-manager plugin working.

I could not find where GetSecret/GetSecretByKey methods are used in caddy-security and the config values substituted. So, I was able to get your plugin to build and load, but it was not clear that this interface was functional yet.

I'll work on updating my profile. Thanks again.

Aug 22 '25 19:08 adg-mh

I could not find where GetSecret/GetSecretByKey methods are used in caddy-security and the config values substituted. So, I was able to get your plugin to build and load, but it was not clear that this interface was functional yet.

It is supposed to work in the same way how it is described in the readme of the plugin. You would have to double check that.

Aug 22 '25 23:08 greenpau

Started working on these plugins but never finished them.

https://github.com/greenpau/go-authcrunch?tab=readme-ov-file#plugins

Aug 22 '25 23:08 greenpau

Yes, I've tested the README as a guide. Here are the details of the steps I took for anyone else that might start down this path:

Followed the directions here and created the example secrets in AWS. Verified using aws cli:

$ aws secretsmanager get-secret-value --secret-id authcrunch/caddy/users/jsmith
{
    "ARN": "arn:aws:secretsmanager:us-east-2:090785339641:secret:authcrunch/caddy/users/jsmith-CORlke",
    "Name": "authcrunch/caddy/users/jsmith",
    "VersionId": "17b8da71-f119-4b98-adb7-1ca6886e8b39",
    "SecretString": "{\"username\":\"jsmith\",\"password\":\"bcrypt:10:$2a$10$iqq53VjdCwknBSBrnyLd9OH1Mfh6kqPezMMy6h6F41iLdVDkj13I6\",\"api_key\":\"bcrypt:10:$2a$10$TEQ7ZG9cAdWwhQK36orCGOlokqQA55ddE0WEsl00oLZh567okdcZ6\",\"email\":\"[email protected]\",\"name\":\"John Smith\"}",
    "VersionStages": [
        "AWSCURRENT"
    ],
    "CreatedDate": 1755961303.346
}

$ aws secretsmanager get-secret-value --secret-id authcrunch/caddy/access_token
{
    "ARN": "arn:aws:secretsmanager:us-east-2:090785339641:secret:authcrunch/caddy/access_token-wqq0lp",
    "Name": "authcrunch/caddy/access_token",
    "VersionId": "1180b29e-74db-4618-a500-4de7a954b788",
    "SecretString": "{\"id\":\"0\",\"usage\":\"sign-verify\",\"value\":\"b006d65b-c923-46a1-8da1-7d52558508fe\"}",
    "VersionStages": [
        "AWSCURRENT"
    ],
    "CreatedDate": 1755961769.713
}

Used xcaddy to build with caddy-security and caddy-security-secrets-aws-secrets-manager plugins. I had to upgrade aws sdk dependencies due to this issue

$ xcaddy build \
--with github.com/greenpau/caddy-security \
--with github.com/greenpau/caddy-security-secrets-aws-secrets-manager \
--replace=github.com/aws/[email protected] \
--replace=github.com/aws/aws-sdk-go-v2/[email protected] \
--replace=github.com/aws/aws-sdk-go-v2/service/[email protected]

Verified both modules were included:

$ caddy list-modules

  <snip>

  Standard modules: 127

http.authentication.providers.authorizer
http.handlers.authenticator
security
security.secrets.aws_secrets_manager

  Non-standard modules: 4

  Unknown modules: 0

Created Caddyfile based on example here

{
    security {
        secrets aws_secrets_manager access_token {
            region us-east-2
            path authcrunch/caddy/access_token
        }

        secrets aws_secrets_manager users/jsmith {
            region us-east-2
            path authcrunch/caddy/users/jsmith
        }

        local identity store localdb {
            realm local
            path users.json
            user jsmith {
                name "secrets:users/jsmith:name"
                email "secrets:users/jsmith:email"
                password "secrets:users/jsmith:password" overwrite
                roles authp/admin authp/user
            }
        }

        authentication portal myportal {
            crypto default token lifetime 3600
            crypto key sign-verify "secrets:access_token:value"
            enable identity store localdb
        }
    }
}

http://localhost:5002 {
    bind 127.0.0.1

    route /* {
        authenticate with myportal
    }
}

When attempting to run caddy the secrets plugin instances are provisioned and validatd, but Caddy fails to start with the following log:

2025/08/23 15:31:21.377 INFO   maxprocs: Leaving GOMAXPROCS=16: CPU quota undefined
2025/08/23 15:31:21.377 INFO   GOMEMLIMIT is updated   {"package": "github.com/KimMachineGun/automemlimit/memlimit", "GOMEMLIMIT": 45616873881, "previous": 9223372036854775807}
2025/08/23 15:31:21.379 INFO   using adjacent Caddyfile
2025/08/23 15:31:21.385 INFO   adapted config to JSON  {"adapter": "caddyfile"}
2025/08/23 15:31:21.386 WARN   Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies    {"adapter": "caddyfile", "file": "Caddyfile", "line": 39}
2025/08/23 15:31:21.395 INFO   admin   admin endpoint started  {"address": "localhost:2019", "enforce_origin": false, "origins": ["//localhost:2019", "//[::1]:2019", "//127.0.0.1:2019"]}
2025/08/23 15:31:21.395 INFO   tls.cache.maintenance   started background certificate maintenance      {"cache": "0xc000c9a800"}
2025/08/23 15:31:21.395 INFO   security        provisioning app instance       {"app": "security"}
2025/08/23 15:31:21.401 INFO   security.secrets.aws_secrets_manager    provisioning plugin instance    {"plugin_name": "security.secrets.aws_secrets_manager"}
2025/08/23 15:31:21.402 INFO   security.secrets.aws_secrets_manager    provisioned plugin instance     {"plugin_name": "security.secrets.aws_secrets_manager"}
2025/08/23 15:31:21.402 INFO   security.secrets.aws_secrets_manager    validating plugin instance      {"plugin_name": "security.secrets.aws_secrets_manager", "secret_id": "access_token"}
2025/08/23 15:31:21.657 INFO   security.secrets.aws_secrets_manager    validated plugin instance       {"plugin_name": "security.secrets.aws_secrets_manager", "secret_id": "access_token"}
2025/08/23 15:31:21.657 INFO   security.secrets.aws_secrets_manager    provisioning plugin instance    {"plugin_name": "security.secrets.aws_secrets_manager"}
2025/08/23 15:31:21.658 INFO   security.secrets.aws_secrets_manager    provisioned plugin instance     {"plugin_name": "security.secrets.aws_secrets_manager"}
2025/08/23 15:31:21.664 INFO   security.secrets.aws_secrets_manager    validating plugin instance      {"plugin_name": "security.secrets.aws_secrets_manager", "secret_id": "users/jsmith"}
2025/08/23 15:31:21.842 INFO   security.secrets.aws_secrets_manager    validated plugin instance       {"plugin_name": "security.secrets.aws_secrets_manager", "secret_id": "users/jsmith"}
2025/08/23 15:31:21.842 INFO   security        identity store authenticator configuration      {"kind": "local", "db_path": "users.json"}
2025/08/23 15:31:21.893 ERROR  security        failed provisioning app server instance {"app": "security", "error": "server initialization failed: failed configuring identity store: failed adding user \"jsmith\": invalid email address"}
2025/08/23 15:31:21.893 INFO   http    servers shutting down with eternal grace period

Note error: failed provisioning app server instance {"app": "security", "error": "server initialization failed: failed configuring identity store: failed adding user \"jsmith\": invalid email address"}

I updated the logging here to include the email string being checked and see

2025/08/23 15:42:29.762 ERROR  security        failed provisioning app server instance {"app": "security", "error": "server initialization failed: failed configuring identity store: failed adding user \"jsmith\": invalid email address `secrets:users/jsmith:email`"}

So it seems to me that the "secrets:..." values are not being substituted before being used, as the string being passed to NewEmailAddress() is secrets:users/jsmith:email.

Aug 23 '25 15:08 adg-mh