Today, the pkg/storage/database package is responsible for fetching the credentials for a database. That interface contains a function called GetDestinationCredentials().

We want to refactor the code to use a separate package for managing secrets.

Step 1: Create pkg/storage/vault package

This will follow the same pattern as the pkg/storage/blobstore package, where different storage types can be configured.

• The new vault package should have an interface which has two functions: GetCredential(name string) string and SetCredential(name, value string)
• There should be a default implementation called memory which just returns credentials from config.Destination in YAML. The implementation should basically be identical to the existing functionality here.
• There should be a new configuration section in our yaml file called vault which has the same format as the database section (type and settings.)

Step 2: Refactor code to use the new vault package instead of database

• Delete the GetDestinationCredentials() function from the Database interface.
• Refactor the code to use our new vault instead. This means updating GetStorageServices() to include a Vault as part of the struct and replacing any use of GetDestinationCredentials() to use our new vault instead

Step 3: AWS Secrets Manager

Create a new implementation of the Vault interface which uses AWS Secrets manager

• Create a new package under vault for AWS.
• Use the go-v2 API to implement the vault interface
• The configuration file should take AWS credentials (access id, secret key) along with a prefix. When keys are created or retrieved, we should add this prefix.