Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(router): add support for azure key vault as secret manager #7330

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

feat(router): add support for azure key vault as secret manager #7330

wants to merge 3 commits into from

Conversation

Rafee-Mohamed
Copy link

@Rafee-Mohamed Rafee-Mohamed commented Feb 20, 2025
edited
Loading

Type of Change

  • Bugfix
  • New feature
  • Enhancement
  • Refactoring
  • Dependency updates
  • Documentation
  • CI/CD

Description

Implement Azure key vault support for secret management and encryption management in external_services similar to the available AWS KMS, HashiCorp Vault, plaintext. This can be used to securely storing sensitive configuration settings.

Additional Changes

  • This PR modifies the API contract
  • This PR modifies the database schema
  • This PR modifies application configuration/environment variables

Motivation and Context

Fixes #6181

How did you test it?

Checklist

  • I formatted the code cargo +nightly fmt --all
  • I addressed lints thrown by cargo clippy
  • I reviewed the submitted code
  • I added unit tests for my changes where possible

@Rafee-Mohamed
feat(router): add support for azure key vault as secret manager
d597f23 
Implement Azure key vault support for secret management and encryption management in external_services.
This can be used to securely storing sensitive configuration settings.

Fixes juspay#6181
@Rafee-Mohamed Rafee-Mohamed requested a review from a team as a code owner February 20, 2025 13:43
@semanticdiff-com SemanticDiff.com
Copy link

semanticdiff-com bot commented Feb 20, 2025
edited
Loading

Review changes with  SemanticDiff

Changed Files
File Status
  Cargo.lock Unsupported file format
  crates/external_services/Cargo.toml Unsupported file format
  crates/external_services/src/azure_key_vault.rs  0% smaller
  crates/external_services/src/azure_key_vault/core.rs  0% smaller
  crates/external_services/src/azure_key_vault/implementers.rs  0% smaller
  crates/external_services/src/lib.rs  0% smaller

@Rafee-Mohamed
Copy link
Author

Rafee-Mohamed commented Feb 20, 2025
edited
Loading

Hi everyone,

This is my first pull request to Hyperswitch. The issue is not yet fully resolved and require further guidance on resolving that. I have few doubts which I will raise in the issue comments. I would appreciate any feedback or review you may have.

Created Files:

  • crates/external_services/src/azure_key_vault.rs
  • crates/external_services/src/azure_key_vault/core.rs
  • crates/external_services/src/azure_key_vault/implementers.rs

Thank you!

@Rafee-Mohamed Rafee-Mohamed changed the title Add support for azure key vault as secret manager feat(router): add support for azure key vault as secret manager Feb 20, 2025
NishantJoshi00
NishantJoshi00 reviewed Mar 3, 2025
View reviewed changes
crates/external_services/src/azure_key_vault/core.rs
/// Constructs a new Azure Key Vault client.
pub async fn new(config: &AzureKeyVaultConfig) -> Result<Self, AzureKeyVaultError> {
let credential = DefaultAzureCredential::new()
.map_err(|_| AzureKeyVaultError::AzureKeyVaultClientInitializationFailed)?;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you preserve the context here? It would good if we propagate the error that actually happened.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure @NishantJoshi00

crates/external_services/src/azure_key_vault/core.rs
decrypt_params
.clone()
.try_into()
.map_err(|_| AzureKeyVaultError::KeyOperationsParameterTypeConversionFailed)?,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here

dracarys18
dracarys18 requested changes Mar 3, 2025
View reviewed changes
crates/external_services/src/azure_key_vault/core.rs
Comment on lines +181 to +182
logger::error!(azure_key_vault_error=?error, "Failed to Azure Key Vault decrypt data");
metrics::AZURE_KEY_VAULT_ENCRYPTION_FAILURES.add(1, &[]);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Log appropriate error here

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dracarys18, Could you please clarify what you mean by “log appropriate error”? Are you suggesting that “Failed to Azure Key Vault decrypt data” is not distinct from the previously logged error?

Would it be clearer if we modified the messages to:
• “Failed while making Azure Key Vault decrypt API call”
• “Failed while parsing Azure Key Vault decrypt API response”

This way, the errors would be more specific. Let me know your thoughts. Thanks!

crates/external_services/src/azure_key_vault/core.rs
Comment on lines +124 to +126
.inspect_err(|error| {
logger::error!(azure_key_vault_error=?error, "Failed to Azure Key Vault decrypt data");
metrics::AZURE_KEY_VAULT_DECRYPTION_FAILURES.add(1, &[]);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Log the proper error here

@dracarys18 dracarys18 added A-framework Area: Framework S-waiting-on-review Status: This PR has been implemented and needs to be reviewed labels Mar 3, 2025
@dracarys18 dracarys18 added this to the February 2025 Release milestone Mar 3, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@NishantJoshi00 NishantJoshi00 NishantJoshi00 left review comments

@dracarys18 dracarys18 dracarys18 requested changes

Requested changes must be addressed to merge this pull request.

Assignees

@Rafee-Mohamed Rafee-Mohamed

Labels
A-framework Area: Framework S-waiting-on-review Status: This PR has been implemented and needs to be reviewed
Projects
None yet
Milestone
February 2025 Release
Development

Successfully merging this pull request may close these issues.

[FEATURE] Add new secrets manager implementation (Azure Key Vault)
3 participants
@Rafee-Mohamed @dracarys18 @NishantJoshi00