llm-shield-cloud-azure
| Crates.io | llm-shield-cloud-azure |
| lib.rs | llm-shield-cloud-azure |
| version | 0.1.1 |
| created_at | 2025-11-03 04:08:26.979842+00 |
| updated_at | 2025-11-03 04:08:26.979842+00 |
| description | Azure cloud integrations for LLM Shield - Key Vault, Blob Storage, Azure Monitor |
| homepage | |
| repository | https://github.com/llm-shield/llm-shield-rs |
| max_upload_size | |
| id | 1913888 |
| size | 141,404 |
GBA (globalbusinessadvisors)
documentation
README
llm-shield-cloud-azure
Azure cloud integrations for LLM Shield - Key Vault, Blob Storage, and Azure Monitor.
Overview
Production-ready Azure implementations of cloud abstraction traits:
- Azure Key Vault - Secure secret storage with automatic caching
- Azure Blob Storage - Object storage for models and results
- Azure Monitor Metrics - Application metrics and monitoring
- Azure Monitor Logs - Structured logging via Log Analytics
Installation
[dependencies]
llm-shield-cloud-azure = "0.1"
llm-shield-cloud = "0.1"
tokio = { version = "1.35", features = ["full"] }
Quick Start
Key Vault
use llm_shield_cloud_azure::AzureKeyVault;
use llm_shield_cloud::CloudSecretManager;
#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
let vault = AzureKeyVault::new("https://my-vault.vault.azure.net").await?;
let api_key = vault.get_secret("openai-api-key").await?;
println!("API Key: {}", api_key.as_string());
Ok(())
}
Blob Storage
use llm_shield_cloud_azure::AzureBlobStorage;
use llm_shield_cloud::CloudStorage;
#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
let storage = AzureBlobStorage::new("mystorageaccount", "models").await?;
let data = b"Hello, Azure!";
storage.put_object("test.txt", data).await?;
let retrieved = storage.get_object("test.txt").await?;
assert_eq!(data, retrieved.as_slice());
Ok(())
}
Azure Monitor
use llm_shield_cloud_azure::AzureMonitorMetrics;
use llm_shield_cloud::{CloudMetrics, Metric};
use std::collections::HashMap;
#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
let metrics = AzureMonitorMetrics::new(
"/subscriptions/sub-id/resourceGroups/rg/...",
"eastus"
).await?;
let metric = Metric {
name: "scan_duration".to_string(),
value: 123.45,
timestamp: std::time::SystemTime::now()
.duration_since(std::time::UNIX_EPOCH)?
.as_secs(),
dimensions: HashMap::new(),
unit: Some("Milliseconds".to_string()),
};
metrics.export_metric(&metric).await?;
Ok(())
}
Configuration
cloud:
provider: azure
azure:
key_vault:
vault_url: https://my-vault.vault.azure.net
cache_ttl_seconds: 300
storage:
account_name: mystorageaccount
container_name: models
monitor:
workspace_id: workspace-id
shared_key: shared-key
log_type: LLMShieldLog
Azure Credentials
Uses DefaultAzureCredential which tries:
- Environment variables: AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET
- Azure CLI:
az logincredentials - Managed Identity: For Azure VMs, App Service, Container Apps
Development Setup
# Install Azure CLI
curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
# Login
az login
# Set subscription
az account set --subscription "my-subscription-id"
Production (Managed Identity)
Azure VM:
# Enable system-assigned managed identity
az vm identity assign \
--name my-vm \
--resource-group my-rg
# Get principal ID
PRINCIPAL_ID=$(az vm show \
--name my-vm \
--resource-group my-rg \
--query identity.principalId -o tsv)
# Assign roles
az role assignment create \
--assignee $PRINCIPAL_ID \
--role "LLM Shield Full Access" \
--scope /subscriptions/sub-id
App Service:
# Enable managed identity
az webapp identity assign \
--name my-app \
--resource-group my-rg
# Assign roles
PRINCIPAL_ID=$(az webapp show \
--name my-app \
--resource-group my-rg \
--query identity.principalId -o tsv)
az role assignment create \
--assignee $PRINCIPAL_ID \
--role "LLM Shield Full Access"
Container Apps:
# Enable managed identity
az containerapp identity assign \
--name my-app \
--resource-group my-rg
# Assign roles
PRINCIPAL_ID=$(az containerapp show \
--name my-app \
--resource-group my-rg \
--query identity.principalId -o tsv)
az role assignment create \
--assignee $PRINCIPAL_ID \
--role "LLM Shield Full Access"
RBAC Permissions
See rbac-roles/ for custom role definitions:
key-vault-role.json- Key Vault permissionsstorage-role.json- Blob Storage permissionsmonitor-role.json- Azure Monitor permissionsllm-shield-full-role.json- All permissions (dev/test)
Creating Custom Roles
# Create custom role
az role definition create \
--role-definition @rbac-roles/llm-shield-full-role.json
# Assign to managed identity
az role assignment create \
--assignee $PRINCIPAL_ID \
--role "LLM Shield Full Access" \
--scope /subscriptions/sub-id
Testing
Unit Tests
cargo test -p llm-shield-cloud-azure
Integration Tests
export AZURE_TENANT_ID=tenant-id
export AZURE_CLIENT_ID=client-id
export AZURE_CLIENT_SECRET=client-secret
export TEST_VAULT_URL=https://test-vault.vault.azure.net
export TEST_STORAGE_ACCOUNT=teststorageaccount
export TEST_CONTAINER=test-container
cargo test -p llm-shield-cloud-azure --test integration -- --ignored
Performance
| Operation | Throughput | Latency (p50) |
|---|---|---|
| Secret fetch (cached) | 100,000/s | <1ms |
| Secret fetch (uncached) | 1,000/s | ~50ms |
| Blob upload (1MB) | 50 MB/s | ~20ms |
| Blob upload (50MB blocks) | 80 MB/s | ~625ms |
| Metrics export (batch) | 1,000/s | ~10ms |
| Logs export (batch) | 10,000/s | ~5ms |
Cost Estimates
Monthly costs (production):
| Service | Usage | Cost |
|---|---|---|
| Key Vault | 10 secrets, 100K ops | ~$3 |
| Blob Storage (LRS) | 100 GB, 1M ops | ~$2 |
| Log Analytics | 50 GB ingested | ~$115 |
| Azure Monitor Metrics | 50 metrics | ~$10 |
| Total | ~$130/month |
Security Best Practices
- Use Managed Identity (no credentials in code)
- Apply least-privilege RBAC roles
- Enable Key Vault soft delete and purge protection
- Use private endpoints for Key Vault and Storage
- Enable Azure Policy for compliance
- Set storage account firewall rules
- Enable diagnostic logging for all services
- Use customer-managed keys (CMK) for encryption
- Enable Azure Defender for Cloud
- Review access regularly with Azure AD PIM
Troubleshooting
Authentication Errors
# Check current authentication
az account show
# Check managed identity
curl -H Metadata:true \
"http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/"
Permission Errors
# List role assignments
az role assignment list \
--assignee $PRINCIPAL_ID \
--all
# Test Key Vault access
az keyvault secret show \
--vault-name my-vault \
--name test-secret
# Test Blob Storage access
az storage blob list \
--account-name mystorageaccount \
--container-name models \
--auth-mode login
Resource Not Found
# Verify Key Vault exists
az keyvault show --name my-vault
# Verify storage account exists
az storage account show \
--name mystorageaccount \
--resource-group my-rg
# Verify container exists
az storage container show \
--name models \
--account-name mystorageaccount \
--auth-mode login
Architecture
┌─────────────────────────────────────┐
│ LLM Shield Application │
└─────────────────────────────────────┘
│
▼
┌─────────────────────────────────────┐
│ llm-shield-cloud (traits) │
└─────────────────────────────────────┘
│
▼
┌─────────────────────────────────────┐
│ llm-shield-cloud-azure (impl) │
│ - AzureKeyVault │
│ - AzureBlobStorage │
│ - AzureMonitorMetrics/Logs │
└─────────────────────────────────────┘
│
▼
┌─────────────────────────────────────┐
│ Azure SDK for Rust │
│ - azure_security_keyvault │
│ - azure_storage_blobs │
│ - reqwest (Monitor API) │
└─────────────────────────────────────┘
│
▼
┌─────────────────────────────────────┐
│ Azure Services │
│ - Key Vault │
│ - Blob Storage │
│ - Azure Monitor │
└─────────────────────────────────────┘
License
MIT OR Apache-2.0
Related Crates
llm-shield-cloud- Cloud abstraction traitsllm-shield-cloud-aws- AWS integrationsllm-shield-cloud-gcp- GCP integrations