tsafe-azure 1.0.3

Azure Key Vault integration for tsafe — optional secret pull.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

//! Optional Azure Key Vault integration for tsafe.
//!
//! Pulls secrets from an Azure Key Vault and imports them into the local
//! tsafe vault.  The local vault remains the single source of truth — KV
//! is purely a **read** source.  No secret data is ever written back to Azure.
//!
//! ## Configuration (environment variables)
//!
//! | Variable               | Required | Description                                              |
//! |------------------------|----------|----------------------------------------------------------|
//! | `TSAFE_AKV_URL`        | yes      | Key Vault endpoint, e.g. `https://myvault.vault.azure.net` |
//! | `AZURE_TENANT_ID`      | SP auth  | AAD tenant ID                                            |
//! | `AZURE_CLIENT_ID`      | SP auth  | Service principal / app registration client ID           |
//! | `AZURE_CLIENT_SECRET`  | SP auth  | Service principal client secret                          |
//!
//! If `AZURE_TENANT_ID`, `AZURE_CLIENT_ID`, and `AZURE_CLIENT_SECRET` are all
//! set, a client-credentials token is obtained.  Otherwise the IMDS managed
//! identity endpoint is tried automatically (works inside Azure VMs / ACI).
//!
//! ## Key normalisation
//! Key Vault secret names use hyphens (`my-secret`).  On import they are
//! normalised to `MY_SECRET` (uppercase, hyphens → underscores) so they are
//! immediately usable as environment variables.

pub mod auth;
pub mod config;
pub mod error;
pub mod keyvault;

pub use auth::acquire_token;
pub use config::KvConfig;
pub use error::KvError;
pub use keyvault::{delete_secret, pull_secrets, push_secret, PushOutcome};