Expand description
Azure Key Vault backend for SecretEnv.
Wraps the az CLI — never an Azure SDK. Every auth mode
az supports (interactive az login, service principal,
managed identity, federated credentials, Cloud Shell) works
transparently because the CLI resolves auth the way the user
already configured it.
§URI shape
<instance>:///<secret-name>[#version=<id>] — scheme is the
instance name (e.g. azure-prod); path is the Key Vault secret
name. The optional #version=<id> directive pins a specific
version ID; <id> is a 32-character lowercase hex string (Azure
generates these server-side) OR the literal latest. When absent
or latest, the --version flag is omitted and az defaults to
the newest enabled version.
§Config fields
azure_vault_url(required) — fully-qualified Key Vault HTTPS URL. Validated at factory time against a regex covering all four sovereign clouds (Commercial, China, US Gov, Germany-legacy), rejecting path traversal + hyphen-edge vault names.azure_tenant(optional) — tenant ID or domain, passed via--tenant.azure_subscription(optional) — subscription ID, passed via--subscription.az_bin(test hook) — overrides theazbinary path.
§Safety
Every CLI call goes through Command::args([...]) with individual
&strs — never sh -c, never format! into a shell string. The
set path uses --file /dev/stdin --encoding utf-8 — the secret
value is piped through child stdin, NEVER on argv. The
--encoding utf-8 flag is REQUIRED when using --file; the
default base64 would interpret the stdin bytes as base64-encoded
and corrupt the stored secret.
See [[backends/azure]] in the kb for the full implementation spec.
Structs§
- Azure
Backend - A live instance of the Azure Key Vault backend.
- Azure
Factory - Factory for the Azure Key Vault backend.