Crate llm_shield_cloud_azure

Crate llm_shield_cloud_azure 

Source
Expand description

Azure cloud integrations for LLM Shield.

This crate provides Azure-specific implementations of the cloud abstraction traits defined in llm-shield-cloud:

  • Secret Management: Azure Key Vault via AzureKeyVault
  • Object Storage: Azure Blob Storage via AzureBlobStorage
  • Metrics: Azure Monitor Metrics via AzureMonitorMetrics
  • Logging: Azure Monitor Logs via AzureMonitorLogs

§Features

  • Automatic credential discovery (env, Azure CLI, managed identity)
  • Built-in caching for secrets (TTL-based)
  • Block blob uploads for large objects (>4MB)
  • Batched metrics and log export for efficiency
  • Full support for Azure retry and timeout policies

§Architecture

┌─────────────────────────────────────┐
│   LLM Shield Application            │
└─────────────────────────────────────┘
                │
                ▼
┌─────────────────────────────────────┐
│   llm-shield-cloud (traits)         │
│   - CloudSecretManager              │
│   - CloudStorage                    │
│   - CloudMetrics/Logger             │
└─────────────────────────────────────┘
                │
                ▼
┌─────────────────────────────────────┐
│   llm-shield-cloud-azure (impl)     │
│   - AzureKeyVault                   │
│   - AzureBlobStorage                │
│   - AzureMonitorMetrics/Logs        │
└─────────────────────────────────────┘
                │
                ▼
┌─────────────────────────────────────┐
│   Azure Services                    │
│   - Key Vault                       │
│   - Blob Storage                    │
│   - Azure Monitor                   │
└─────────────────────────────────────┘

§Usage Examples

§Secret Management

use llm_shield_cloud_azure::AzureKeyVault;
use llm_shield_cloud::CloudSecretManager;

#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
    // Initialize with vault URL
    let vault = AzureKeyVault::new("https://my-vault.vault.azure.net").await?;

    // Fetch a secret (automatically cached for 5 minutes)
    let api_key = vault.get_secret("openai-api-key").await?;
    println!("API Key: {}", api_key.as_string());

    // List all secrets
    let secret_names = vault.list_secrets().await?;
    println!("Found {} secrets", secret_names.len());

    Ok(())
}

§Object Storage

use llm_shield_cloud_azure::AzureBlobStorage;
use llm_shield_cloud::{CloudStorage, PutObjectOptions};

#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
    let storage = AzureBlobStorage::new(
        "mystorageaccount",
        "models"
    ).await?;

    // Upload a model (automatically uses block blobs for files >4MB)
    let model_data = tokio::fs::read("toxicity-model.onnx").await?;
    storage.put_object("toxicity.onnx", &model_data).await?;

    // Upload with options
    let options = PutObjectOptions {
        content_type: Some("application/octet-stream".to_string()),
        ..Default::default()
    };
    storage.put_object_with_options("model.onnx", &model_data, &options).await?;

    // Download and verify
    let downloaded = storage.get_object("toxicity.onnx").await?;
    assert_eq!(model_data, downloaded);

    Ok(())
}

§Metrics

use llm_shield_cloud_azure::AzureMonitorMetrics;
use llm_shield_cloud::{CloudMetrics, Metric};
use std::collections::HashMap;

#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
    let metrics = AzureMonitorMetrics::new(
        "/subscriptions/sub-id/resourceGroups/rg/providers/...",
        "eastus"
    ).await?;

    let mut dimensions = HashMap::new();
    dimensions.insert("environment".to_string(), "production".to_string());

    let metric = Metric {
        name: "scan_duration".to_string(),
        value: 123.45,
        timestamp: std::time::SystemTime::now()
            .duration_since(std::time::UNIX_EPOCH)?
            .as_secs(),
        dimensions,
        unit: Some("Milliseconds".to_string()),
    };

    metrics.export_metric(&metric).await?;

    Ok(())
}

§Logging

use llm_shield_cloud_azure::AzureMonitorLogs;
use llm_shield_cloud::{CloudLogger, LogLevel, LogEntry};
use std::collections::HashMap;

#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
    let logger = AzureMonitorLogs::new(
        "workspace-id",
        "shared-key",
        "LLMShieldLog"
    ).await?;

    // Simple logging
    logger.log("API server started", LogLevel::Info).await?;

    // Structured logging
    let mut labels = HashMap::new();
    labels.insert("request_id".to_string(), "req-123".to_string());

    let entry = LogEntry {
        timestamp: std::time::SystemTime::now(),
        level: LogLevel::Info,
        message: "Request processed successfully".to_string(),
        labels,
        trace_id: Some("trace-789".to_string()),
        span_id: Some("span-012".to_string()),
    };

    logger.log_structured(&entry).await?;

    Ok(())
}

§Azure Credentials

This crate uses DefaultAzureCredential which tries:

  1. Environment variables: AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET
  2. Azure CLI: az login credentials
  3. Managed Identity: For Azure VMs, App Service, Container Apps, etc.

§RBAC Permissions

Required Azure RBAC permissions are documented in rbac-roles/ directory:

  • key-vault-role.json: Key Vault permissions
  • storage-role.json: Blob Storage permissions
  • monitor-role.json: Azure Monitor permissions

§Configuration

Configure Azure integrations via CloudConfig:

cloud:
  provider: azure
  azure:
    key_vault:
      vault_url: https://my-vault.vault.azure.net
      cache_ttl_seconds: 300
    storage:
      account_name: mystorageaccount
      container_name: models
    monitor:
      workspace_id: workspace-id
      log_type: LLMShieldLog

§Performance

  • Secret caching: >90% cache hit rate reduces API calls
  • Block blob uploads: Automatically used for objects >4MB
  • Batch export: Metrics (20/batch) and logs (100/batch)
  • Async operations: All I/O is fully asynchronous with tokio

§Testing

Run unit tests:

cargo test -p llm-shield-cloud-azure

§License

MIT OR Apache-2.0

Re-exports§

pub use observability_stub::AzureMonitor;
pub use observability_stub::AzureAppInsights;
pub use secrets_stub::AzureKeyVault;
pub use storage_stub::AzureBlobStorage;

Modules§

observability_stub
Stub implementation for Azure observability (monitoring and logging).
secrets_stub
Stub implementation for Azure Key Vault.
storage_stub
Stub implementation for Azure Blob Storage.

Structs§

GetObjectOptions
Options for downloading objects.
LogEntry
Structured log entry.
Metric
Metric data point.
ObjectMetadata
Metadata about a storage object.
PutObjectOptions
Options for uploading objects.
SecretMetadata
Metadata about a secret.
SecretValue
Represents a secret value that can be stored and retrieved.

Enums§

CloudError
Unified cloud error type for all cloud operations.
LogLevel
Log severity level.

Constants§

LIB_NAME
Crate name
VERSION
Crate version

Traits§

CloudLogger
Unified trait for cloud logging.
CloudMetrics
Unified trait for cloud metrics export.
CloudSecretManager
Unified trait for cloud secret management.
CloudStorage
Unified trait for cloud object storage.

Type Aliases§

Result
Result type alias for cloud operations.