Summary
Add a KeyVaultResolver to the Extension SDK (pkg/azdext) that resolves Azure Key Vault secret references embedded in environment variables. This eliminates ~100+ lines of duplicated Key Vault resolution logic across each extension.
Motivation
Extensions running scripts or managing environments need to resolve Azure Key Vault references embedded in environment variables. Without framework support, each extension imports duplicated infrastructure:
- azd-exec uses Key Vault resolution with a
StopOnKeyVaultError config flag and factory pattern
- azd-app implements custom Config/AppConfig structs with Load(), Save(), and AtomicWriteJSON
- azd-core provides shared
keyvault package that every extension depends on
Evidence: azd-exec KV resolution, azd-core keyvault package
Supported Reference Formats
akvs://<subscription>/<vault>/<secret>
@Microsoft.KeyVault(SecretUri=https://<vault>.vault.azure.net/secrets/<name>[/<version>])
@Microsoft.KeyVault(VaultName=...;SecretName=...)
Features
- KeyVaultResolver: Thread-safe per-vault client caching, batch resolution via
ResolveMap, structured error types with ResolveReason classification, configurable vault suffix for sovereign clouds
- Helper functions:
IsSecretReference, ParseKeyVaultAppReference, ResolveSecretEnvironment for bulk env var resolution
- Integration point:
cmd/extensions.go calls ResolveSecretEnvironment before passing env vars to extensions, so extensions receive plain secret values transparently
- Core keyvault additions:
IsKeyVaultAppReference, ParseKeyVaultAppReference, SecretFromKeyVaultReference, ResolveSecretEnvironment in pkg/keyvault
Files
cli/azd/pkg/azdext/keyvault_resolver.go — KeyVaultResolver with Resolve, ResolveMap, error types
cli/azd/pkg/azdext/keyvault_resolver_test.go — comprehensive tests (577 lines)
cli/azd/pkg/keyvault/keyvault.go — helper functions for @Microsoft.KeyVault format parsing
cli/azd/cmd/extensions.go — integration: resolve KV refs before passing env to extensions
cli/azd/internal/cmd/show/show.go — documentation comments for KV resolution
Related
Branch
feature/ext-sdk-kv-resolver on jongio/azure-dev
Summary
Add a
KeyVaultResolverto the Extension SDK (pkg/azdext) that resolves Azure Key Vault secret references embedded in environment variables. This eliminates ~100+ lines of duplicated Key Vault resolution logic across each extension.Motivation
Extensions running scripts or managing environments need to resolve Azure Key Vault references embedded in environment variables. Without framework support, each extension imports duplicated infrastructure:
StopOnKeyVaultErrorconfig flag and factory patternkeyvaultpackage that every extension depends onEvidence: azd-exec KV resolution, azd-core keyvault package
Supported Reference Formats
akvs://<subscription>/<vault>/<secret>@Microsoft.KeyVault(SecretUri=https://<vault>.vault.azure.net/secrets/<name>[/<version>])@Microsoft.KeyVault(VaultName=...;SecretName=...)Features
ResolveMap, structured error types withResolveReasonclassification, configurable vault suffix for sovereign cloudsIsSecretReference,ParseKeyVaultAppReference,ResolveSecretEnvironmentfor bulk env var resolutioncmd/extensions.gocallsResolveSecretEnvironmentbefore passing env vars to extensions, so extensions receive plain secret values transparentlyIsKeyVaultAppReference,ParseKeyVaultAppReference,SecretFromKeyVaultReference,ResolveSecretEnvironmentinpkg/keyvaultFiles
cli/azd/pkg/azdext/keyvault_resolver.go— KeyVaultResolver with Resolve, ResolveMap, error typescli/azd/pkg/azdext/keyvault_resolver_test.go— comprehensive tests (577 lines)cli/azd/pkg/keyvault/keyvault.go— helper functions for @Microsoft.KeyVault format parsingcli/azd/cmd/extensions.go— integration: resolve KV refs before passing env to extensionscli/azd/internal/cmd/show/show.go— documentation comments for KV resolutionRelated
Branch
feature/ext-sdk-kv-resolveron jongio/azure-dev