Skip to content

feat(azdext): Add KeyVaultResolver to Extension SDK for Key Vault secret resolution #7042

New issue
New issue
Open
Open
feat(azdext): Add KeyVaultResolver to Extension SDK for Key Vault secret resolution#7042
Labels
enhancement
@jongio

Description

@jongio
jongio
opened on Mar 8, 2026

Summary

Add a KeyVaultResolver to the Extension SDK (pkg/azdext) that resolves Azure Key Vault secret references embedded in environment variables. This eliminates ~100+ lines of duplicated Key Vault resolution logic across each extension.

Motivation

Extensions running scripts or managing environments need to resolve Azure Key Vault references embedded in environment variables. Without framework support, each extension imports duplicated infrastructure:

  • azd-exec uses Key Vault resolution with a StopOnKeyVaultError config flag and factory pattern
  • azd-app implements custom Config/AppConfig structs with Load(), Save(), and AtomicWriteJSON
  • azd-core provides shared keyvault package that every extension depends on

Evidence: azd-exec KV resolution, azd-core keyvault package

Supported Reference Formats

  • akvs://<subscription>/<vault>/<secret>
  • @Microsoft.KeyVault(SecretUri=https://<vault>.vault.azure.net/secrets/<name>[/<version>])
  • @Microsoft.KeyVault(VaultName=...;SecretName=...)

Features

  • KeyVaultResolver: Thread-safe per-vault client caching, batch resolution via ResolveMap, structured error types with ResolveReason classification, configurable vault suffix for sovereign clouds
  • Helper functions: IsSecretReference, ParseKeyVaultAppReference, ResolveSecretEnvironment for bulk env var resolution
  • Integration point: cmd/extensions.go calls ResolveSecretEnvironment before passing env vars to extensions, so extensions receive plain secret values transparently
  • Core keyvault additions: IsKeyVaultAppReference, ParseKeyVaultAppReference, SecretFromKeyVaultReference, ResolveSecretEnvironment in pkg/keyvault

Files

  • cli/azd/pkg/azdext/keyvault_resolver.go — KeyVaultResolver with Resolve, ResolveMap, error types
  • cli/azd/pkg/azdext/keyvault_resolver_test.go — comprehensive tests (577 lines)
  • cli/azd/pkg/keyvault/keyvault.go — helper functions for @Microsoft.KeyVault format parsing
  • cli/azd/cmd/extensions.go — integration: resolve KV refs before passing env to extensions
  • cli/azd/internal/cmd/show/show.go — documentation comments for KV resolution

Related

Branch

feature/ext-sdk-kv-resolver on jongio/azure-dev

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancement

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions