pub struct AzureKeyVaultProvider { /* private fields */ }Expand description
Azure Key Vault Column Master Key provider.
This provider implements the KeyStoreProvider trait to support
Always Encrypted operations using keys stored in Azure Key Vault.
§Thread Safety
This provider is Send + Sync and can be safely shared across threads.
Implementations§
Source§impl AzureKeyVaultProvider
impl AzureKeyVaultProvider
Sourcepub fn new() -> Result<Self, EncryptionError>
pub fn new() -> Result<Self, EncryptionError>
Create a new Azure Key Vault provider with default credentials.
This uses DeveloperToolsCredential which tries multiple authentication
methods in order:
- Azure CLI credentials (
az login) - Other developer tools (Visual Studio Code, etc.)
For production environments, use Self::with_credential with a specific
credential type such as managed identity or service principal.
§Errors
Returns an error if credential initialization fails.
§Example
let provider = AzureKeyVaultProvider::new()?;Sourcepub fn with_credential(credential: Arc<DeveloperToolsCredential>) -> Self
pub fn with_credential(credential: Arc<DeveloperToolsCredential>) -> Self
Create a new Azure Key Vault provider with an existing credential.
Use this when you need to share a credential across multiple providers.
§Example
use azure_identity::DeveloperToolsCredential;
let credential = Arc::new(DeveloperToolsCredential::new(None)?);
let provider = AzureKeyVaultProvider::with_credential(credential);Sourcepub fn with_trusted_endpoints<I, S>(self, suffixes: I) -> Self
pub fn with_trusted_endpoints<I, S>(self, suffixes: I) -> Self
Override the set of host suffixes a server-supplied CMK path may target.
By default only Microsoft-operated Key Vault / Managed HSM endpoints
(.vault.azure.net, .managedhsm.azure.net, and the China / US-Gov /
legacy-Germany variants) are accepted, so a malicious server cannot
redirect key operations to an attacker-controlled host.
Use this only for private or sovereign deployments with custom DNS, and
pass suffixes you fully control (e.g. ".vault.contoso.example").
Replacing the list with an over-broad suffix re-opens the SSRF /
token-exfiltration vector this guard closes.