#azure #env-file #env #keyvault #env-var #encryption-key

app keyweave

Fetches secrets from Azure Key Vault and weaves them into a convenient .env file

9 releases

0.2.7 Apr 10, 2024
0.2.6 Mar 5, 2024
0.2.5 Feb 25, 2024
0.2.4 Dec 1, 2023
0.1.0 Nov 9, 2023

#171 in Authentication

GPL-3.0 license

228 lines


github crates.io docs.rs build status test status


Keyweave is an open-source tool crafted to seamlessly fetch secrets from Azure Key Vault and weave them into a convenient .env file. Developed in Rust, Keyweave stands out for its efficiency and user-friendly design, making it an ideal choice for managing your application's secrets.


  • Fetch Secrets: Retrieve secrets securely from Azure Key Vault.
  • Filtering: Optionally filter the secrets to be retrieved by name.
  • Output Customization: Choose the name of the output file, defaulting to .env.
  • Azure Default Credentials: Utilizes Azure default credentials for authentication.


Before diving into Keyweave, ensure you have the following prerequisites:

  • Logged into the right Azure tenant:

    az login --tenant "your-tenant-guid"
  • The identity you logged in with has Get and List Secret Permissions in the Access Policies of the Key Vault.



Keyweave is built with Cargo, the Rust package manager. It can also be used to install from crates.io:

cargo install keyweave

Homebrew (MacOS, Linux)

For MacOS and Linux systems, installation is a breeze with Homebrew. Simply run:

brew tap bartvdbraak/keyweave
brew install keyweave

Manual Download

If you prefer manual installation or need binaries for different platforms (including an executable for Windows), visit the Releases page of this GitHub repository.

Invoke-WebRequest -Uri 'https://github.com/bartvdbraak/keyweave/releases/latest/download/keyweave.exe' -OutFile 'keyweave.exe'

Building from Source

To build Keyweave from source, follow these steps:

git clone https://github.com/bartvdbraak/keyweave.git
cd keyweave
cargo build --release

Once built, run Keyweave using Cargo:

cargo run -- --vault-name <VAULT_NAME> [--output <FILE>] [--filter <FILTER>]


With the binary on your PATH, run Keyweave as follows:

keyweave --vault-name <VAULT_NAME> [--output <FILE>] [--filter <FILTER>]
  • --vault-name <VAULT_NAME>: Sets the name of the Azure Key Vault.
  • --output <FILE>: (Optional) Sets the name of the output file (default: .env).
  • --filter <FILTER>: (Optional) Filters the secrets to be retrieved by name.


keyweave --vault-name my-key-vault --output my-env-file.env --filter my-secret


Additional documentation for this package can be found on docs.rs.


Keyweave is licensed under the GPLv3 License. See LICENSE for more details.


We welcome contributions! Feel free to submit pull requests, report issues, or suggest new features. Your input helps make Keyweave even better.


~326K SLoC