Lib.rs

Web programming
#secret #vault #azure #read #secret-key #inject #pass

bin+lib akv-cli

The Azure Key Vault CLI can be used to read secrets, pass them securely to other commands, or inject them into configuration files

by Heath Stewart

1 unstable release

new 0.1.0 Feb 19, 2025

#698 in Web programming

MIT license

56KB
1.5K SLoC

Azure Key Vault CLI (Unofficial)

releases ci

The Azure Key Vault CLI can be used to read secrets, pass them securely to other commands, or inject them into configuration files.

Installation

If you have Rust installed, you can build the CLI on nearly any platform:

cargo install akv-cli

Using

Inspired by the 1Password CLI, you can use similar commands to pull secrets from Azure Key Vault. Though the crate is named akv-cli, note that the actual program is named akv.

Some arguments can read environment variables, e.g., --vault which reads from AZURE_KEYVAULT_URL. This information can be found in --help for commands. This makes it easy to pass just the secret name e.g.,

export AZURE_KEYVAULT_URL=https://my-vault.vault.azure.net

akv secret list
akv read --name my-secret

Injecting secrets

You can read a templated file or from stdin to inject secrets into the stream. Any secret ID e.g., https://my-vault.vault.azure.net/secrets/my-secret between {{ }} will be replaced, if it exists.

echo "my-secret: {{ https://my-vault.vault.azure.net/secrets/my-secret }}" | akv inject

You can also read from stdin, or from files using --in-file e.g.,

cat <<'EOF' | akv inject -o config.json
{
    "token": "{{ https://my-vault.vault.azure.net/secrets/my-secret/746984e474594896aad9aff48aca0849 }}"
}
EOF

Reading a secret

You can pass secrets to terminal applications, though how exactly depends on your shell. For bash,

cargo login $(akv read https://my-vault.vault.azure.net/secrets/my-secret)

Note that secrets in Key Vault are versioned. The example above reads the latest version, but you can also read any version. It's often important to refer to a specific version until you're ready to rotate to a new secret.

akv read https://my-vault.vault.azure.net/secrets/my-secret/746984e474594896aad9aff48aca0849

Passing secrets to new processes

You can start a process that reads environment variables containing URLs to secrets instead of keeping secrets in environment variables that any process can read.

Environment variables can contain only a URL to a secret. Secrets read from Azure Key Vault will be masked in stdout and stderr unless you pass --no-masking.

export SECRET_VAR=https://my-vault.vault.azure.net/secrets/my-secret

akv run -- printenv SECRET_VAR
akv run --no-masking -- printenv SECRET_VAR

Managing secrets

You can create, get, edit, and list secrets e.g.,

akv secret list --vault https://my-vault.vault.azure.net

Read complete usage using --help:

akv secret --help

Background

Though still a work in progress, inspiration was derived from the 1Password CLI. As the previous primary developer on the Azure Key Vault SDK for .NET and current primary developer on the Azure SDK for Rust - including Key Vault - I wanted to make something useful to test our initial prerelease of the Rust class libraries.

License

Licensed under the MIT license.

Dependencies

~26–41MB
~668K SLoC