tsafe_azure/lib.rs
1//! Optional Azure Key Vault integration for tsafe.
2//!
3//! Pulls secrets from an Azure Key Vault and imports them into the local
4//! tsafe vault. The local vault remains the single source of truth — KV
5//! is purely a **read** source. No secret data is ever written back to Azure.
6//!
7//! ## Configuration (environment variables)
8//!
9//! | Variable | Required | Description |
10//! |------------------------|----------|----------------------------------------------------------|
11//! | `TSAFE_AKV_URL` | yes | Key Vault endpoint, e.g. `https://myvault.vault.azure.net` |
12//! | `AZURE_TENANT_ID` | SP auth | AAD tenant ID |
13//! | `AZURE_CLIENT_ID` | SP auth | Service principal / app registration client ID |
14//! | `AZURE_CLIENT_SECRET` | SP auth | Service principal client secret |
15//!
16//! If `AZURE_TENANT_ID`, `AZURE_CLIENT_ID`, and `AZURE_CLIENT_SECRET` are all
17//! set, a client-credentials token is obtained. Otherwise the IMDS managed
18//! identity endpoint is tried automatically (works inside Azure VMs / ACI).
19//!
20//! ## Key normalisation
21//! Key Vault secret names use hyphens (`my-secret`). On import they are
22//! normalised to `MY_SECRET` (uppercase, hyphens → underscores) so they are
23//! immediately usable as environment variables.
24
25pub mod auth;
26pub mod config;
27pub mod error;
28pub mod keyvault;
29
30pub use auth::acquire_token;
31pub use config::KvConfig;
32pub use error::KvError;
33pub use keyvault::{delete_secret, pull_secrets, push_secret, PushOutcome};