Trait KeyFetch 

pub trait KeyFetch: Send + Sync {
    // Required methods
    fn fetch(&self, ctx: &FetchContext) -> Result<RawKey>;
    fn describe(&self) -> Cow<'_, str>;
}

Pluggable source of key material.

Implementors describe themselves through KeyFetch::describe; that name appears in audit events and in Error::Acquisition when the fetcher fails.

Implementor contract

• No retries. A failure to find a key is a configuration error from the vault’s perspective; the fetcher should report it once and return.
• No caching. The fetcher is called once per key registration. Caching inside the fetcher defeats the vault’s storage discipline.
• Sanitized errors. Returned errors must not include key material or any secret-equivalent value (passwords, tokens, file contents).
• Send + Sync. The vault may invoke the fetcher from any thread.

Required Methods

fn fetch(&self, ctx: &FetchContext) -> Result<RawKey>

Acquire raw key material from the underlying source.

Errors

Returns Error::Acquisition when the source is reachable but the key cannot be obtained (missing entry, permission denied, decryption failure). The source field of the error must match the value returned by KeyFetch::describe.

fn describe(&self) -> Cow<'_, str>

Short, machine-friendly identifier for this fetcher (e.g. "keychain", "file", "env"). Used for audit records and error attribution.

The returned value should be stable across calls and free of secret information.

Implementors

impl KeyFetch for EnvFetch

Available on crate feature fetcher-env only.

impl KeyFetch for FileFetch

Available on crate feature fetcher-file only.

impl KeyFetch for KeychainFetch

Available on crate feature fetcher-keychain only.

impl KeyFetch for TpmFetch

Available on crate feature fetcher-tpm only.