Skip to main content

AzureKeyVaultProvider

Struct AzureKeyVaultProvider 

Source
pub struct AzureKeyVaultProvider { /* private fields */ }
Expand description

Azure Key Vault Column Master Key provider.

This provider implements the KeyStoreProvider trait to support Always Encrypted operations using keys stored in Azure Key Vault.

§Thread Safety

This provider is Send + Sync and can be safely shared across threads.

Implementations§

Source§

impl AzureKeyVaultProvider

Source

pub fn new() -> Result<Self, EncryptionError>

Create a new Azure Key Vault provider with default credentials.

This uses DeveloperToolsCredential which tries multiple authentication methods in order:

  1. Azure CLI credentials (az login)
  2. Other developer tools (Visual Studio Code, etc.)

For production environments, use Self::with_credential with a specific credential type such as managed identity or service principal.

§Errors

Returns an error if credential initialization fails.

§Example
let provider = AzureKeyVaultProvider::new()?;
Source

pub fn with_credential(credential: Arc<DeveloperToolsCredential>) -> Self

Create a new Azure Key Vault provider with an existing credential.

Use this when you need to share a credential across multiple providers.

§Example
use azure_identity::DeveloperToolsCredential;

let credential = Arc::new(DeveloperToolsCredential::new(None)?);
let provider = AzureKeyVaultProvider::with_credential(credential);
Source

pub fn with_trusted_endpoints<I, S>(self, suffixes: I) -> Self
where I: IntoIterator<Item = S>, S: Into<String>,

Override the set of host suffixes a server-supplied CMK path may target.

By default only Microsoft-operated Key Vault / Managed HSM endpoints (.vault.azure.net, .managedhsm.azure.net, and the China / US-Gov / legacy-Germany variants) are accepted, so a malicious server cannot redirect key operations to an attacker-controlled host. Use this only for private or sovereign deployments with custom DNS, and pass suffixes you fully control (e.g. ".vault.contoso.example"). Replacing the list with an over-broad suffix re-opens the SSRF / token-exfiltration vector this guard closes.

Trait Implementations§

Source§

impl Debug for AzureKeyVaultProvider

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl KeyStoreProvider for AzureKeyVaultProvider

Source§

fn provider_name(&self) -> &str

Returns the provider name as used in SQL Server metadata. Read more
Source§

fn decrypt_cek<'life0, 'life1, 'life2, 'life3, 'async_trait>( &'life0 self, cmk_path: &'life1 str, algorithm: &'life2 str, encrypted_cek: &'life3 [u8], ) -> Pin<Box<dyn Future<Output = Result<Vec<u8>, EncryptionError>> + Send + 'async_trait>>
where Self: 'async_trait, 'life0: 'async_trait, 'life1: 'async_trait, 'life2: 'async_trait, 'life3: 'async_trait,

Decrypt a Column Encryption Key (CEK) using the Column Master Key (CMK). Read more
Source§

fn sign_data<'life0, 'life1, 'life2, 'async_trait>( &'life0 self, cmk_path: &'life1 str, data: &'life2 [u8], ) -> Pin<Box<dyn Future<Output = Result<Vec<u8>, EncryptionError>> + Send + 'async_trait>>
where Self: 'async_trait, 'life0: 'async_trait, 'life1: 'async_trait, 'life2: 'async_trait,

Sign data using the Column Master Key (optional). Read more
Source§

fn verify_signature<'life0, 'life1, 'life2, 'life3, 'async_trait>( &'life0 self, cmk_path: &'life1 str, data: &'life2 [u8], signature: &'life3 [u8], ) -> Pin<Box<dyn Future<Output = Result<bool, EncryptionError>> + Send + 'async_trait>>
where Self: 'async_trait, 'life0: 'async_trait, 'life1: 'async_trait, 'life2: 'async_trait, 'life3: 'async_trait,

Verify a signature (optional). Read more

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T> Instrument for T

Source§

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more
Source§

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more
Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> PolicyExt for T
where T: ?Sized,

Source§

fn and<P, B, E>(self, other: P) -> And<T, P>
where T: Sized + Policy<B, E>, P: Policy<B, E>,

Create a new Policy that returns Action::Follow only if self and other return Action::Follow. Read more
Source§

fn or<P, B, E>(self, other: P) -> Or<T, P>
where T: Sized + Policy<B, E>, P: Policy<B, E>,

Create a new Policy that returns Action::Follow if either self or other returns Action::Follow. Read more
Source§

impl<T> Same for T

Source§

type Output = T

Should always be Self
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<V, T> VZip<V> for T
where V: MultiLane<T>,

Source§

fn vzip(self) -> V

Source§

impl<T> WithSubscriber for T

Source§

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more