Expand description
Optional Azure Key Vault integration for tsafe.
Pulls secrets from an Azure Key Vault and imports them into the local tsafe vault. The local vault remains the single source of truth — KV is purely a read source. No secret data is ever written back to Azure.
§Configuration (environment variables)
| Variable | Required | Description |
|---|---|---|
TSAFE_AKV_URL | yes | Key Vault endpoint, e.g. https://myvault.vault.azure.net |
AZURE_TENANT_ID | SP auth | AAD tenant ID |
AZURE_CLIENT_ID | SP auth | Service principal / app registration client ID |
AZURE_CLIENT_SECRET | SP auth | Service principal client secret |
If AZURE_TENANT_ID, AZURE_CLIENT_ID, and AZURE_CLIENT_SECRET are all
set, a client-credentials token is obtained. Otherwise the IMDS managed
identity endpoint is tried automatically (works inside Azure VMs / ACI).
§Key normalisation
Key Vault secret names use hyphens (my-secret). On import they are
normalised to MY_SECRET (uppercase, hyphens → underscores) so they are
immediately usable as environment variables.
Re-exports§
pub use auth::acquire_token;pub use config::KvConfig;pub use error::KvError;pub use keyvault::delete_secret;pub use keyvault::pull_secrets;pub use keyvault::push_secret;pub use keyvault::PushOutcome;