Skip to content

feat(azdext): Extension SDK improvements — integration, security, runtime, cleanup#7025

Draft
jongio wants to merge 9 commits intoAzure:mainfrom
jongio:feature/ext-sdk-improvements
Draft

feat(azdext): Extension SDK improvements — integration, security, runtime, cleanup#7025
jongio wants to merge 9 commits intoAzure:mainfrom
jongio:feature/ext-sdk-improvements

Conversation

@jongio
Copy link
Member

@jongio jongio commented Mar 6, 2026
edited
Loading

Extension SDK Improvements — Integration, Security, Runtime, Cleanup

Summary

Consolidated PR delivering the remaining Extension SDK and MCP Framework improvements from the Extension Framework Improvements initiative. These features were identified through a multi-model code review across 5 production extensions (azd-app, azd-exec, azd-copilot, azd-rest) and a shared library (azd-core), revealing ~2,500-4,000 lines of duplicated infrastructure across the ecosystem.

Note: Key Vault secret resolution was extracted to PR #7043 (issue #7042) to reduce scope and allow independent review.

Changes

P1 Config Helpers (#6945)

Config Helpers

  • Why: Extensions need typed configuration loading from ~/.azd/config.json with defaults. Each extension builds its own config loader.
  • Evidence: azd-app implements custom Config/AppConfig structs with Load(), Save(), and AtomicWriteJSON — 75 lines of boilerplate per extension.
  • Change: config_helper.goConfigHelper with typed loading, saving, defaults, and atomic writes. config_helper_test.go — 967 lines of comprehensive tests.

P2 Output & Structured Logging (#6946)

Output Helpers

  • Why: Extensions produce inconsistent output — some use ANSI colors, others plain text. No standard for JSON-mode output or structured tables. Users experience different formatting across extensions.
  • Evidence: azd-core/cliout provides Success(), Error(), Warning(), Table(), SetFormat() — used by azd-app and all other extensions. Without framework support, every extension depends on azd-core for consistent output.
  • Change: output.goOutput helper with format-aware rendering (text, JSON, table), ANSI color support. output_test.go — 358 lines of tests.

Structured Logger

  • Why: Each extension sets up identical structured logging with debug mode detection. The pattern is the same everywhere but not provided by the framework.
  • Evidence: azd-core/logutil provides SetupLogger(debug, structured) with JSON/text format selection and component-scoped loggers.
  • Change: logger.goSetupLogger and ComponentLogger with slog integration. logger_test.go — 295 lines of tests.

P2 Security Validation & SSRF Guard (#6947)

Security Validation

  • Why: Extensions handling user input need path traversal prevention, service name validation, script name sanitization, and container environment detection. Each extension must discover and import these from azd-core.
  • Evidence: azd-core/security provides ValidatePath() (L33 — detects .., resolves symlinks), ValidateServiceName() (L85 — DNS-safe regex), SanitizeScriptName() (L129 — blocks shell metacharacters), and IsContainerEnvironment() (L148 — detects Docker, Codespaces, K8s).
  • Change: security_validation.goValidatePath, ValidateServiceName, SanitizeScriptName, IsContainerEnvironment. security_validation_test.go — 354 lines of tests.

SSRF Guard

  • Why: MCP tools making HTTP requests on behalf of AI models are particularly vulnerable to SSRF attacks. Extensions must independently implement blocklists for cloud metadata endpoints, private network CIDRs, and URL validation with DNS resolution. This is complex, security-critical code that should not be duplicated.
  • Evidence: azd-rest hardcodes its own SSRF protectionblockedHeaders (L34), blockedHosts including 169.254.169.254 and fd00:ec2::254 (L42), 7 blockedCIDRs for IPv4/IPv6 loopback, link-local, and RFC 1918 (L49-66), plus isBlockedIP() (L84) and isBlockedURL() with DNS resolution (L96-134).
  • Change: ssrf_guard.go + ssrf_common.goSSRFGuard with fluent builder pattern, metadata endpoint blocking, private network blocking, HTTPS enforcement, DNS resolution, IPv6 embedded IPv4 extraction, OnBlocked callback. ssrf_guard_test.go — 552 lines of tests. Also refactored mcp_security.go to use shared SSRF primitives.

P3 Runtime Utilities (#6948)

Shell Detection & Execution

  • Why: Extensions executing scripts need to detect shells from file extensions/shebangs and build correct command arguments per shell. azd-exec has TWO separate implementations — one for CLI, one for MCP — that should be unified.
  • Evidence: azd-core/shellutil provides constants for 6 shells plus DetectShell(). azd-exec duplicates shell argument building in its MCP handler separately from its CLI handler.
  • Change: shell.goDetectShell, ShellInfo, BuildCommand, IsInteractiveTerminal (using golang.org/x/term), shell type constants. shell_test.go — 258 lines of tests.

Atomic File Operations

  • Why: Extensions writing config files risk corruption from partial writes. The temp-file-then-rename pattern is well-known but each extension implements it independently.
  • Evidence: azd-core/fileutil provides AtomicWriteJSON() and AtomicWriteFile() — write to temp, sync, set permissions, rename.
  • Change: atomicfile.goAtomicWriteFile, AtomicWriteJSON with platform-aware temp file placement. atomicfile_test.go — 322 lines of tests.

Process Management

  • Why: Extensions monitoring services need reliable cross-platform process detection. On Windows, stale PIDs are a real problem — a PID may be reused by a different process, so simple os.FindProcess isn't reliable.
  • Evidence: azd-core/procutil uses gopsutil for accurate detection across Windows/Linux/macOS.
  • Change: process.go + platform-specific files (process_windows.go, process_linux.go, process_darwin.go) — IsProcessRunning, GetProcessInfo, WaitForProcessExit using native OS APIs (Windows: OpenProcess+QueryFullProcessImageNameW, Linux: /proc, macOS: ps). EPERM handling on Unix for permission-denied processes. process_test.go — 221 lines of tests.

TUI Helpers

  • Why: Extensions launching interactive terminal apps face complex platform-specific TTY challenges. When azd captures stdio for gRPC, child processes can't detect a TTY.
  • Evidence: azd-copilot implements 70+ lines of platform-specific hacking — Windows SetStdHandle() for CONIN$/CONOUT$, Unix /dev/tty bypass.
  • Change: tui.goLaunchTUI with platform-specific stdin/stdout reattachment. tui_test.go — 240 lines of tests.

Tool Discovery

  • Why: Extensions integrating with external tools (node, python, docker) need to find executables across PATH and system directories, with helpful install suggestions when missing.
  • Evidence: azd-core/pathutil provides FindToolInPath() with Windows .exe handling and GetInstallSuggestion() for 18+ tools.
  • Change: tooldiscovery.goFindTool, GetInstallSuggestion, RequireTool, BuildPATH. tooldiscovery_test.go — 268 lines of tests.

Cleanup (#6949)

Context Ownership & Package Boundaries

  • Why: After the P0 SDK helpers landed (feat: Extension SDK helpers — command scaffolding, MCP utilities, and security policy #6856), some types ended up in suboptimal package locations. This cleanup moves them to correct packages and clarifies context propagation boundaries between host and extensions.
  • Changes: context.go — additional context helpers. extension_command.go — package boundary clarification. scope_detector.go — custom rule precedence fix (custom rules now prepend before defaults). token_provider.go — simplified. mcp_server_builder.go — minor additions.

Resilient HTTP Client Improvements

  • Why: Copilot review identified security and correctness issues in the existing resilient HTTP client (merged in P0).
  • Changes: resilient_http_client.go — bounded body drain (1 MiB via io.LimitReader), improved defaults handling. resilient_http_client_test.go — updated tests.

Pagination Improvements

  • Why: Copilot review identified security issues — unsanitized error bodies and nextLink validation gaps.
  • Changes: pagination.gosanitizeControlChars for error bodies, validateNextLink now rejects relative URLs and non-HTTPS schemes. pagination_test.go — updated tests.

Documentation

  • extension-e2e-walkthrough.md — 477-line end-to-end guide
  • extension-migration-guide.md — 554-line migration guide from azd-core
  • extension-sdk-reference.md — 705-line SDK reference
  • extension-framework.md — updated with new capabilities

Example Extension Update

  • extensions/azure.appservice/ — updated to use SDK helpers, demonstrating the migration pattern.

Related Work

Item Status
#6855 P0 SDK Helpers Merged Feb 26
#6944 P1 Core Primitives Merged Mar 6
#7042 Key Vault Resolver Draft PR (extracted from this PR)
#6863 Documentation Assigned to @kristenwomack
#6853 Full Proposal Parent issue with complete evidence

Downstream Impact

  • azd-app (PR #145): Already deleted 574 lines of custom rate limiter code after P1 core primitives merged
  • azd-core (PR Update Walk to WalkDir #22): Deprecated stopgap helpers in favor of SDK-provided ones
  • All extensions: Will be able to drop azd-core dependency for features now in the SDK

Testing

  • All new code includes unit tests (594 tests pass, 1 skip)
  • Cross-cutting security hardening applied across all modules
  • Builds and lints cleanly (gofmt, go vet, golangci-lint — 0 issues)

Fixes #6945, Fixes #6946, Fixes #6947, Fixes #6948, Fixes #6949

@jongio jongio requested a review from wbreza as a code owner March 6, 2026 18:13
Copilot AI review requested due to automatic review settings March 6, 2026 18:13
This was referenced Mar 6, 2026
Open
Closed
Closed
Closed
Closed
Closed
Copilot AI reviewed Mar 6, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR extends the azdext Extension SDK with additional integration, security, output/logging, and runtime helper utilities, and updates docs/extensions to use the improved entrypoints and patterns.

Changes:

  • Add new azdext helper modules: TUI/interactive detection, tool discovery & PATH management, shell execution, atomic file operations, process utilities, structured output, structured logging, Key Vault secret resolution, SSRF guard, and input validation helpers.
  • Harden/adjust existing primitives (pager, scope detector, resilient HTTP client) and expand tests across the new surfaces.
  • Update extensions and docs to use azdext.Run and document new SDK helper guidance.

Reviewed changes

Copilot reviewed 47 out of 51 changed files in this pull request and generated 7 comments.

Show a summary per file
File Description
cli/azd/pkg/azdext/tui.go Adds interactive capability detection helpers.
cli/azd/pkg/azdext/tui_test.go Unit tests for interactive detection and flags.
cli/azd/pkg/azdext/tooldiscovery.go Adds tool lookup + PATH management utilities.
cli/azd/pkg/azdext/tooldiscovery_test.go Tests for tool lookup and PATH helpers.
cli/azd/pkg/azdext/shell.go Adds shell detection + shell command helpers + TTY detection.
cli/azd/pkg/azdext/shell_test.go Tests for shell helpers and terminal detection.
cli/azd/pkg/azdext/security_validation.go Adds validation helpers (service name, hostname, script name, container env detection).
cli/azd/pkg/azdext/security_validation_test.go Tests for validation and container env detection.
cli/azd/pkg/azdext/ssrf_guard.go Adds standalone SSRF guard utility (non-MCP usage).
cli/azd/pkg/azdext/ssrf_common.go Common SSRF constants + IP classification helpers.
cli/azd/pkg/azdext/process.go Adds cross-platform process utilities API surface.
cli/azd/pkg/azdext/process_windows.go Windows implementation for process utilities.
cli/azd/pkg/azdext/process_darwin.go macOS implementation for process utilities.
cli/azd/pkg/azdext/process_linux.go Linux implementation for process utilities.
cli/azd/pkg/azdext/process_test.go Tests for process utilities.
cli/azd/pkg/azdext/atomicfile.go Adds atomic write/copy/backup + EnsureDir helpers.
cli/azd/pkg/azdext/atomicfile_test.go Tests for atomic file helpers.
cli/azd/pkg/azdext/output.go Adds format-aware output helper (default vs JSON) + table rendering.
cli/azd/pkg/azdext/output_test.go Tests for output helper behavior.
cli/azd/pkg/azdext/logger.go Adds slog-based logger + global setup helper.
cli/azd/pkg/azdext/logger_test.go Tests for logger levels, structured output, and chaining.
cli/azd/pkg/azdext/keyvault_resolver.go Adds Key Vault akvs:// secret reference resolver.
cli/azd/pkg/azdext/mcp_server_builder.go Adds note about potential future package split for MCP library coupling.
cli/azd/pkg/azdext/extension_command.go Adds note about potential future package split for Cobra coupling.
cli/azd/pkg/azdext/context.go Deprecates NewContext in favor of Run/command helpers.
cli/azd/pkg/azdext/token_provider.go Updates TokenProvider doc snippet (signature change).
cli/azd/pkg/azdext/scope_detector.go Adjusts rule handling + error formatting behavior.
cli/azd/pkg/azdext/resilient_http_client.go Adjusts retry defaults, jitter, and Retry-After parsing behavior.
cli/azd/pkg/azdext/resilient_http_client_test.go Updates tests for resilient client behavior changes.
cli/azd/pkg/azdext/pagination.go Adjusts pager init/validation and truncation semantics.
cli/azd/pkg/azdext/pagination_test.go Updates tests for pager behavior changes.
cli/azd/pkg/azdext/run_test.go Tests for error message/suggestion extraction helpers.
cli/azd/extensions/azure.appservice/main.go Switches extension entrypoint to azdext.Run.
cli/azd/extensions/azure.appservice/internal/cmd/swap.go Adds selection index bounds checks + slot name validation.
cli/azd/extensions/azure.appservice/go.mod Updates module deps/replace comment for monorepo development.
cli/azd/extensions/azure.appservice/go.sum Updates dependency checksums.
cli/azd/extensions/azure.ai.agents/internal/pkg/agents/agent_api/models.go Formatting fix (go fmt).
cli/azd/extensions/azure.ai.agents/internal/cmd/show.go Formatting fix (alignment).
cli/azd/extensions/azure.ai.agents/internal/cmd/monitor.go Formatting fix (alignment).
cli/azd/docs/extensions/extension-framework.md Updates docs to recommend azdext.Run and links related guides.
cli/azd/CHANGELOG.md Changelog entries for new SDK helper surfaces and docs.
cli/azd/.vscode/cspell.yaml Adds dictionary words for new SDK terminology.
Comments suppressed due to low confidence (1)

cli/azd/pkg/azdext/pagination.go:234

  • validateNextLink allows nextLink values with an empty scheme/host (e.g. relative URLs like /page2) and will accept them without SSRF host validation. This will later fail in http.NewRequest/Do() (missing scheme/host) and is also inconsistent with the comment that nextLink “must stay on the same host with HTTPS”. Consider requiring an absolute HTTPS URL (or explicitly resolving relative URLs against the current/origin URL and then enforcing same-host + https).
// validateNextLink checks that a nextLink URL is safe to follow.
// It rejects non-HTTPS schemes, URLs with embedded credentials, and
// URLs pointing to a different host than the original request (SSRF protection).
func (p *Pager[T]) validateNextLink(nextLink string) error {
	u, err := url.Parse(nextLink)
	if err != nil {
		return fmt.Errorf("invalid nextLink URL: %w", err)
	}

	if u.Scheme != "" && u.Scheme != "https" {
		return fmt.Errorf("nextLink must use HTTPS (got %q)", u.Scheme)
	}

	if u.User != nil {
		return errors.New("nextLink must not contain user credentials")
	}

	host := strings.ToLower(u.Hostname())
	if host != "" && p.originHost != "" && host != p.originHost {
		return fmt.Errorf("nextLink host %q does not match origin host %q (possible SSRF)", host, p.originHost)
	}

	return nil

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@jongio jongio marked this pull request as draft March 6, 2026 18:20
@jongio jongio force-pushed the feature/ext-sdk-improvements branch 2 times, most recently from 9554fed to fa5b1f7 Compare March 6, 2026 18:40
@jongio
Copy link
Member Author

jongio commented Mar 6, 2026

@copilot please re-review the latest changes. All 6 agreed-upon review comments have been addressed.

@jongio jongio force-pushed the feature/ext-sdk-improvements branch from fa5b1f7 to 6603758 Compare March 6, 2026 18:52
@jongio jongio requested a review from Copilot March 6, 2026 21:27
@jongio jongio marked this pull request as ready for review March 6, 2026 21:27
Copilot AI reviewed Mar 6, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 47 out of 51 changed files in this pull request and generated 10 comments.

Comments suppressed due to low confidence (1)

cli/azd/pkg/azdext/pagination.go:193

  • Pager.NextPage reads the response body with io.LimitReader(resp.Body, maxPageResponseSize) and then unmarshals it. If the server returns more than maxPageResponseSize bytes, the body will be silently truncated and the JSON decode error will be misleading. Consider restoring the prior pattern of reading maxPageResponseSize+1 and returning an explicit "response exceeds max page size" error when the limit is exceeded.
	data, err := io.ReadAll(io.LimitReader(resp.Body, maxPageResponseSize))
	if err != nil {
		return nil, fmt.Errorf("azdext.Pager.NextPage: failed to read response: %w", err)
	}

	var page PageResponse[T]
	if err := json.Unmarshal(data, &page); err != nil {
		return nil, fmt.Errorf("azdext.Pager.NextPage: failed to decode response: %w", err)

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@jongio
Copy link
Member Author

jongio commented Mar 6, 2026

Architecture Note: KeyVault Resolver Design Decision

The keyvault_resolver.go in azdext intentionally maintains its own secret retrieval logic rather than calling through to core pkg/keyvault/KeyVaultService.SecretFromAkvs(). Here's why:

What IS shared (no duplication):

  • keyvault.IsAzureKeyVaultSecret() — URI scheme detection
  • keyvault.ParseAzureKeyVaultSecret()akvs:// URI parsing

What is NOT shared (by design):

  • The actual GetSecret call (~20 lines) uses different credential models

Core keyvault requires SubscriptionCredentialProvider (DI-injected, resolves credentials per Azure subscription) + cloud.Cloud config. Extensions cannot and should not access azd's DI container.

Azdext resolver accepts a simple azcore.TokenCredential — any valid Azure credential works. No DI dependency, standalone, testable via injected secretClientFactory, with typed errors (KeyVaultResolveError + ResolveReason enum) and batch support (ResolveMap).

If we consolidate in the future, the azdext pattern is the better foundation — simpler credential model, better error handling, and inherently testable. Core's SecretFromAkvs() could eventually delegate to this resolver pattern.

@jongio jongio marked this pull request as draft March 7, 2026 00:00
@jongio
Copy link
Member Author

jongio commented Mar 8, 2026

I will pull the key vault resolution feature into a new pr.

This was referenced Mar 8, 2026
Open
Draft
jongio
jongio commented Mar 9, 2026
View reviewed changes
Copy link
Member Author

@jongio jongio left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

blockMetadata IS read — it's used at lines 229 and 252 of checkCore() to classify blocked metadata hosts with the distinct metadata_endpoint reason instead of the generic blocked_host. The field, the documented SSRFError.Reason values, and the implementation are all aligned. No changes needed.

@jongio jongio force-pushed the feature/ext-sdk-improvements branch 3 times, most recently from 01aaaea to 564e281 Compare March 9, 2026 19:42
@azure-sdk
Copy link
Collaborator

azure-sdk commented Mar 11, 2026

Azure Dev CLI Install Instructions

Install scripts

MacOS/Linux

May elevate using sudo on some platforms and configurations

bash:

curl -fsSL https://azuresdkartifacts.z5.web.core.windows.net/azd/standalone/pr/7025/uninstall-azd.sh | bash;
curl -fsSL https://azuresdkartifacts.z5.web.core.windows.net/azd/standalone/pr/7025/install-azd.sh | bash -s -- --base-url https://azuresdkartifacts.z5.web.core.windows.net/azd/standalone/pr/7025 --version '' --verbose --skip-verify

pwsh:

Invoke-RestMethod 'https://azuresdkartifacts.z5.web.core.windows.net/azd/standalone/pr/7025/uninstall-azd.ps1' -OutFile uninstall-azd.ps1; ./uninstall-azd.ps1
Invoke-RestMethod 'https://azuresdkartifacts.z5.web.core.windows.net/azd/standalone/pr/7025/install-azd.ps1' -OutFile install-azd.ps1; ./install-azd.ps1 -BaseUrl 'https://azuresdkartifacts.z5.web.core.windows.net/azd/standalone/pr/7025' -Version '' -SkipVerify -Verbose

Windows

PowerShell install

powershell -c "Set-ExecutionPolicy Bypass Process; irm 'https://azuresdkartifacts.z5.web.core.windows.net/azd/standalone/pr/7025/uninstall-azd.ps1' > uninstall-azd.ps1; ./uninstall-azd.ps1;"
powershell -c "Set-ExecutionPolicy Bypass Process; irm 'https://azuresdkartifacts.z5.web.core.windows.net/azd/standalone/pr/7025/install-azd.ps1' > install-azd.ps1; ./install-azd.ps1 -BaseUrl 'https://azuresdkartifacts.z5.web.core.windows.net/azd/standalone/pr/7025' -Version '' -SkipVerify -Verbose;"

MSI install

powershell -c "irm 'https://azuresdkartifacts.z5.web.core.windows.net/azd/standalone/pr/7025/azd-windows-amd64.msi' -OutFile azd-windows-amd64.msi; msiexec /i azd-windows-amd64.msi /qn"

Standalone Binary

MSI

Documentation

learn.microsoft.com documentation

title: Azure Developer CLI reference
description: This article explains the syntax and parameters for the various Azure Developer CLI commands.
author: alexwolfmsft
ms.author: alexwolf
ms.date: 03/11/2026
ms.service: azure-dev-cli
ms.topic: conceptual
ms.custom: devx-track-azdevcli

Azure Developer CLI reference

This article explains the syntax and parameters for the various Azure Developer CLI commands.

azd

The Azure Developer CLI (azd) is an open-source tool that helps onboard and manage your project on Azure

Options

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --docs         Opens the documentation for azd in your web browser.
  -h, --help         Gets help for azd.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

  • azd add: Add a component to your project.
  • azd auth: Authenticate with Azure.
  • azd completion: Generate shell completion scripts.
  • azd config: Manage azd configurations (ex: default Azure subscription, location).
  • azd deploy: Deploy your project code to Azure.
  • azd down: Delete your project's Azure resources.
  • azd env: Manage environments (ex: default environment, environment variables).
  • azd extension: Manage azd extensions.
  • azd hooks: Develop, test and run hooks for a project.
  • azd infra: Manage your Infrastructure as Code (IaC).
  • azd init: Initialize a new application.
  • azd mcp: Manage Model Context Protocol (MCP) server. (Alpha)
  • azd monitor: Monitor a deployed project.
  • azd package: Packages the project's code to be deployed to Azure.
  • azd pipeline: Manage and configure your deployment pipelines.
  • azd provision: Provision Azure resources for your project.
  • azd publish: Publish a service to a container registry.
  • azd restore: Restores the project's dependencies.
  • azd show: Display information about your project and its resources.
  • azd template: Find and view template details.
  • azd up: Provision and deploy your project to Azure with a single command.
  • azd version: Print the version number of Azure Developer CLI.

azd add

Add a component to your project.

azd add [flags]

Options

      --docs   Opens the documentation for azd add in your web browser.
  -h, --help   Gets help for add.

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

azd auth

Authenticate with Azure.

Options

      --docs   Opens the documentation for azd auth in your web browser.
  -h, --help   Gets help for auth.

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

azd auth login

Log in to Azure.

Synopsis

Log in to Azure.

When run without any arguments, log in interactively using a browser. To log in using a device code, pass
--use-device-code.

To log in as a service principal, pass --client-id and --tenant-id as well as one of: --client-secret,
--client-certificate, or --federated-credential-provider.

To log in using a managed identity, pass --managed-identity, which will use the system assigned managed identity.
To use a user assigned managed identity, pass --client-id in addition to --managed-identity with the client id of
the user assigned managed identity you wish to use.

azd auth login [flags]

Options

      --check-status                           Checks the log-in status instead of logging in.
      --client-certificate string              The path to the client certificate for the service principal to authenticate with.
      --client-id string                       The client id for the service principal to authenticate with.
      --client-secret string                   The client secret for the service principal to authenticate with. Set to the empty string to read the value from the console.
      --docs                                   Opens the documentation for azd auth login in your web browser.
      --federated-credential-provider string   The provider to use to acquire a federated token to authenticate with. Supported values: github, azure-pipelines, oidc
  -h, --help                                   Gets help for login.
      --managed-identity                       Use a managed identity to authenticate.
      --redirect-port int                      Choose the port to be used as part of the redirect URI during interactive login.
      --tenant-id string                       The tenant id or domain name to authenticate with.
      --use-device-code[=true]                 When true, log in by using a device code instead of a browser.

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

azd auth logout

Log out of Azure.

Synopsis

Log out of Azure

azd auth logout [flags]

Options

      --docs   Opens the documentation for azd auth logout in your web browser.
  -h, --help   Gets help for logout.

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

azd auth status

Show the current authentication status.

Synopsis

Display whether you are logged in to Azure and the associated account information.

azd auth status [flags]

Options

      --docs   Opens the documentation for azd auth status in your web browser.
  -h, --help   Gets help for status.

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

azd completion

Generate shell completion scripts.

Synopsis

Generate shell completion scripts for azd.

The completion command allows you to generate autocompletion scripts for your shell,
currently supports bash, zsh, fish and PowerShell.

See each sub-command's help for details on how to use the generated script.

Options

      --docs   Opens the documentation for azd completion in your web browser.
  -h, --help   Gets help for completion.

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

azd completion bash

Generate bash completion script.

azd completion bash

Options

      --docs   Opens the documentation for azd completion bash in your web browser.
  -h, --help   Gets help for bash.

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

azd completion fig

Generate Fig autocomplete spec.

azd completion fig

Options

      --docs   Opens the documentation for azd completion fig in your web browser.
  -h, --help   Gets help for fig.

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

azd completion fish

Generate fish completion script.

azd completion fish

Options

      --docs   Opens the documentation for azd completion fish in your web browser.
  -h, --help   Gets help for fish.

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

azd completion powershell

Generate PowerShell completion script.

azd completion powershell

Options

      --docs   Opens the documentation for azd completion powershell in your web browser.
  -h, --help   Gets help for powershell.

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

azd completion zsh

Generate zsh completion script.

azd completion zsh

Options

      --docs   Opens the documentation for azd completion zsh in your web browser.
  -h, --help   Gets help for zsh.

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

azd config

Manage azd configurations (ex: default Azure subscription, location).

Synopsis

Manage the Azure Developer CLI user configuration, which includes your default Azure subscription and location.

Available since azure-dev-cli_0.4.0-beta.1.

The easiest way to configure azd for the first time is to run azd init. The subscription and location you select will be stored in the config.json file located in the config directory. To configure azd anytime afterwards, you'll use azd config set.

The default value of the config directory is:

  • $HOME/.azd on Linux and macOS
  • %USERPROFILE%.azd on Windows

The configuration directory can be overridden by specifying a path in the AZD_CONFIG_DIR environment variable.

Options

      --docs   Opens the documentation for azd config in your web browser.
  -h, --help   Gets help for config.

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

azd config get

Gets a configuration.

Synopsis

Gets a configuration in the configuration path.

The default value of the config directory is:

  • $HOME/.azd on Linux and macOS
  • %USERPROFILE%\.azd on Windows

The configuration directory can be overridden by specifying a path in the AZD_CONFIG_DIR environment variable.

azd config get <path> [flags]

Options

      --docs   Opens the documentation for azd config get in your web browser.
  -h, --help   Gets help for get.

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

azd config list-alpha

Display the list of available features in alpha stage.

azd config list-alpha [flags]

Options

      --docs   Opens the documentation for azd config list-alpha in your web browser.
  -h, --help   Gets help for list-alpha.

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

azd config options

List all available configuration settings.

Synopsis

List all possible configuration settings that can be set with azd, including descriptions and allowed values.

azd config options [flags]

Options

      --docs   Opens the documentation for azd config options in your web browser.
  -h, --help   Gets help for options.

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

azd config reset

Resets configuration to default.

Synopsis

Resets all configuration in the configuration path.

The default value of the config directory is:

  • $HOME/.azd on Linux and macOS
  • %USERPROFILE%\.azd on Windows

The configuration directory can be overridden by specifying a path in the AZD_CONFIG_DIR environment variable to the default.

azd config reset [flags]

Options

      --docs    Opens the documentation for azd config reset in your web browser.
  -f, --force   Force reset without confirmation.
  -h, --help    Gets help for reset.

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

azd config set

Sets a configuration.

Synopsis

Sets a configuration in the configuration path.

The default value of the config directory is:

  • $HOME/.azd on Linux and macOS
  • %USERPROFILE%\.azd on Windows

The configuration directory can be overridden by specifying a path in the AZD_CONFIG_DIR environment variable.

azd config set <path> <value> [flags]

Examples

azd config set defaults.subscription <yourSubscriptionID>
azd config set defaults.location eastus

Options

      --docs   Opens the documentation for azd config set in your web browser.
  -h, --help   Gets help for set.

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

azd config show

Show all the configuration values.

Synopsis

Show all configuration values in the configuration path.

The default value of the config directory is:

  • $HOME/.azd on Linux and macOS
  • %USERPROFILE%\.azd on Windows

The configuration directory can be overridden by specifying a path in the AZD_CONFIG_DIR environment variable.

azd config show [flags]

Options

      --docs   Opens the documentation for azd config show in your web browser.
  -h, --help   Gets help for show.

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

azd config unset

Unsets a configuration.

Synopsis

Removes a configuration in the configuration path.

The default value of the config directory is:

  • $HOME/.azd on Linux and macOS
  • %USERPROFILE%\.azd on Windows

The configuration directory can be overridden by specifying a path in the AZD_CONFIG_DIR environment variable.

azd config unset <path> [flags]

Examples

azd config unset defaults.location

Options

      --docs   Opens the documentation for azd config unset in your web browser.
  -h, --help   Gets help for unset.

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

azd deploy

Deploy your project code to Azure.

azd deploy <service> [flags]

Options

      --all                   Deploys all services that are listed in azure.yaml
      --docs                  Opens the documentation for azd deploy in your web browser.
  -e, --environment string    The name of the environment to use.
      --from-package string   Deploys the packaged service located at the provided path. Supports zipped file packages (file path) or container images (image tag).
  -h, --help                  Gets help for deploy.

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

azd down

Delete your project's Azure resources.

azd down [<layer>] [flags]

Options

      --docs                 Opens the documentation for azd down in your web browser.
  -e, --environment string   The name of the environment to use.
      --force                Does not require confirmation before it deletes resources.
  -h, --help                 Gets help for down.
      --purge                Does not require confirmation before it permanently deletes resources that are soft-deleted by default (for example, key vaults).

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

azd env

Manage environments (ex: default environment, environment variables).

Options

      --docs   Opens the documentation for azd env in your web browser.
  -h, --help   Gets help for env.

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

azd env config

Manage environment configuration (ex: stored in .azure//config.json).

Options

      --docs   Opens the documentation for azd env config in your web browser.
  -h, --help   Gets help for config.

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

azd env config get

Gets a configuration value from the environment.

Synopsis

Gets a configuration value from the environment's config.json file.

azd env config get <path> [flags]

Options

      --docs                 Opens the documentation for azd env config get in your web browser.
  -e, --environment string   The name of the environment to use.
  -h, --help                 Gets help for get.

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

azd env config set

Sets a configuration value in the environment.

Synopsis

Sets a configuration value in the environment's config.json file.

Values are automatically parsed as JSON types when possible. Booleans (true/false),
numbers (42, 3.14), arrays ([...]), and objects ({...}) are stored with their native
JSON types. Plain text values are stored as strings. To force a JSON-typed value to be
stored as a string, wrap it in JSON quotes (e.g. '"true"' or '"8080"').

azd env config set <path> <value> [flags]

Examples

azd env config set myapp.endpoint https://example.com
azd env config set myapp.debug true
azd env config set myapp.count 42
azd env config set infra.parameters.tags '{"env":"dev"}'
azd env config set myapp.port '"8080"'

Options

      --docs                 Opens the documentation for azd env config set in your web browser.
  -e, --environment string   The name of the environment to use.
  -h, --help                 Gets help for set.

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

azd env config unset

Unsets a configuration value in the environment.

Synopsis

Removes a configuration value from the environment's config.json file.

azd env config unset <path> [flags]

Examples

azd env config unset myapp.endpoint

Options

      --docs                 Opens the documentation for azd env config unset in your web browser.
  -e, --environment string   The name of the environment to use.
  -h, --help                 Gets help for unset.

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

azd env get-value

Get specific environment value.

azd env get-value <keyName> [flags]

Options

      --docs                 Opens the documentation for azd env get-value in your web browser.
  -e, --environment string   The name of the environment to use.
  -h, --help                 Gets help for get-value.

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

  • azd env: Manage environments (ex: default environment, environment variables).
  • Back to top

azd env get-values

Get all environment values.

azd env get-values [flags]

Options

      --docs                 Opens the documentation for azd env get-values in your web browser.
  -e, --environment string   The name of the environment to use.
  -h, --help                 Gets help for get-values.

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

  • azd env: Manage environments (ex: default environment, environment variables).
  • Back to top

azd env list

List environments.

azd env list [flags]

Options

      --docs   Opens the documentation for azd env list in your web browser.
  -h, --help   Gets help for list.

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

  • azd env: Manage environments (ex: default environment, environment variables).
  • Back to top

azd env new

Create a new environment and set it as the default.

azd env new <environment> [flags]

Options

      --docs                  Opens the documentation for azd env new in your web browser.
  -h, --help                  Gets help for new.
  -l, --location string       Azure location for the new environment
      --subscription string   ID of an Azure subscription to use for the new environment

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

  • azd env: Manage environments (ex: default environment, environment variables).
  • Back to top

azd env refresh

Refresh environment values by using information from a previous infrastructure provision.

azd env refresh <environment> [flags]

Options

      --docs                 Opens the documentation for azd env refresh in your web browser.
  -e, --environment string   The name of the environment to use.
  -h, --help                 Gets help for refresh.
      --hint string          Hint to help identify the environment to refresh
      --layer string         Provisioning layer to refresh the environment from.

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

  • azd env: Manage environments (ex: default environment, environment variables).
  • Back to top

azd env remove

Remove an environment.

azd env remove <environment> [flags]

Options

      --docs                 Opens the documentation for azd env remove in your web browser.
  -e, --environment string   The name of the environment to use.
      --force                Skips confirmation before performing removal.
  -h, --help                 Gets help for remove.

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

  • azd env: Manage environments (ex: default environment, environment variables).
  • Back to top

azd env select

Set the default environment.

azd env select [<environment>] [flags]

Options

      --docs   Opens the documentation for azd env select in your web browser.
  -h, --help   Gets help for select.

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

  • azd env: Manage environments (ex: default environment, environment variables).
  • Back to top

azd env set

Set one or more environment values.

Synopsis

Set one or more environment values using key-value pairs or by loading from a .env formatted file.

azd env set [<key> <value>] | [<key>=<value> ...] | [--file <filepath>] [flags]

Options

      --docs                 Opens the documentation for azd env set in your web browser.
  -e, --environment string   The name of the environment to use.
      --file string          Path to .env formatted file to load environment values from.
  -h, --help                 Gets help for set.

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

  • azd env: Manage environments (ex: default environment, environment variables).
  • Back to top

azd env set-secret

Set a name as a reference to a Key Vault secret in the environment.

Synopsis

You can either create a new Key Vault secret or select an existing one.
The provided name is the key for the .env file which holds the secret reference to the Key Vault secret.

azd env set-secret <name> [flags]

Options

      --docs                 Opens the documentation for azd env set-secret in your web browser.
  -e, --environment string   The name of the environment to use.
  -h, --help                 Gets help for set-secret.

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

  • azd env: Manage environments (ex: default environment, environment variables).
  • Back to top

azd extension

Manage azd extensions.

Options

      --docs   Opens the documentation for azd extension in your web browser.
  -h, --help   Gets help for extension.

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

azd extension install

Installs specified extensions.

azd extension install <extension-id> [flags]

Options

      --docs             Opens the documentation for azd extension install in your web browser.
  -f, --force            Force installation, including downgrades and reinstalls
  -h, --help             Gets help for install.
  -s, --source string    The extension source to use for installs
  -v, --version string   The version of the extension to install

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

azd extension list

List available extensions.

azd extension list [--installed] [flags]

Options

      --docs            Opens the documentation for azd extension list in your web browser.
  -h, --help            Gets help for list.
      --installed       List installed extensions
      --source string   Filter extensions by source
      --tags strings    Filter extensions by tags

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

azd extension show

Show details for a specific extension.

azd extension show <extension-id> [flags]

Options

      --docs            Opens the documentation for azd extension show in your web browser.
  -h, --help            Gets help for show.
  -s, --source string   The extension source to use.

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

azd extension source

View and manage extension sources

Options

      --docs   Opens the documentation for azd extension source in your web browser.
  -h, --help   Gets help for source.

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

azd extension source add

Add an extension source with the specified name

azd extension source add [flags]

Options

      --docs              Opens the documentation for azd extension source add in your web browser.
  -h, --help              Gets help for add.
  -l, --location string   The location of the extension source
  -n, --name string       The name of the extension source
  -t, --type string       The type of the extension source. Supported types are 'file' and 'url'

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

azd extension source list

List extension sources

azd extension source list [flags]

Options

      --docs   Opens the documentation for azd extension source list in your web browser.
  -h, --help   Gets help for list.

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

azd extension source remove

Remove an extension source with the specified name

azd extension source remove <name> [flags]

Options

      --docs   Opens the documentation for azd extension source remove in your web browser.
  -h, --help   Gets help for remove.

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

azd extension source validate

Validate an extension source's registry.json file.

Synopsis

Validate an extension source's registry.json file.

Accepts a source name (from 'azd extension source list'), a local file path,
or a URL. Checks required fields, valid capabilities, semver version format,
platform artifact structure, and extension ID format.

azd extension source validate <name-or-path-or-url> [flags]

Options

      --docs     Opens the documentation for azd extension source validate in your web browser.
  -h, --help     Gets help for validate.
      --strict   Enable strict validation (require checksums)

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

azd extension uninstall

Uninstall specified extensions.

azd extension uninstall [extension-id] [flags]

Options

      --all    Uninstall all installed extensions
      --docs   Opens the documentation for azd extension uninstall in your web browser.
  -h, --help   Gets help for uninstall.

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

azd extension upgrade

Upgrade specified extensions.

azd extension upgrade [extension-id] [flags]

Options

      --all              Upgrade all installed extensions
      --docs             Opens the documentation for azd extension upgrade in your web browser.
  -h, --help             Gets help for upgrade.
  -s, --source string    The extension source to use for upgrades
  -v, --version string   The version of the extension to upgrade to

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

azd hooks

Develop, test and run hooks for a project.

Options

      --docs   Opens the documentation for azd hooks in your web browser.
  -h, --help   Gets help for hooks.

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

azd hooks run

Runs the specified hook for the project and services

azd hooks run <name> [flags]

Options

      --docs                 Opens the documentation for azd hooks run in your web browser.
  -e, --environment string   The name of the environment to use.
  -h, --help                 Gets help for run.
      --platform string      Forces hooks to run for the specified platform.
      --service string       Only runs hooks for the specified service.

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

azd infra

Manage your Infrastructure as Code (IaC).

Options

      --docs   Opens the documentation for azd infra in your web browser.
  -h, --help   Gets help for infra.

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

azd infra generate

Write IaC for your project to disk, allowing you to manually manage it.

azd infra generate [flags]

Options

      --docs                 Opens the documentation for azd infra generate in your web browser.
  -e, --environment string   The name of the environment to use.
      --force                Overwrite any existing files without prompting
  -h, --help                 Gets help for generate.

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

azd init

Initialize a new application.

azd init [flags]

Options

  -b, --branch string         The template branch to initialize from. Must be used with a template argument (--template or -t).
      --docs                  Opens the documentation for azd init in your web browser.
  -e, --environment string    The name of the environment to use.
  -f, --filter strings        The tag(s) used to filter template results. Supports comma-separated values.
      --from-code             Initializes a new application from your existing code.
  -h, --help                  Gets help for init.
  -l, --location string       Azure location for the new environment
  -m, --minimal               Initializes a minimal project.
  -s, --subscription string   ID of an Azure subscription to use for the new environment
  -t, --template string       Initializes a new application from a template. You can use a Full URI, <owner>/<repository>, <repository> if it's part of the azure-samples organization, or a local directory path (./dir, ../dir, or absolute path).
      --up                    Provision and deploy to Azure after initializing the project from a template.

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

azd mcp

Manage Model Context Protocol (MCP) server. (Alpha)

Options

      --docs   Opens the documentation for azd mcp in your web browser.
  -h, --help   Gets help for mcp.

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

azd mcp consent

Manage MCP tool consent.

Synopsis

Manage consent rules for MCP tool execution.

Options

      --docs   Opens the documentation for azd mcp consent in your web browser.
  -h, --help   Gets help for consent.

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

azd mcp consent grant

Grant consent trust rules.

Synopsis

Grant trust rules for MCP tools and servers.

This command creates consent rules that allow MCP tools to execute
without prompting for permission. You can specify different permission
levels and scopes for the rules.

Examples:

Grant always permission to all tools globally

azd mcp consent grant --global --permission always

Grant project permission to a specific tool with read-only scope

azd mcp consent grant --server my-server --tool my-tool --permission project --scope read-only

azd mcp consent grant [flags]

Options

      --action string       Action type: 'all' or 'readonly' (default "all")
      --docs                Opens the documentation for azd mcp consent grant in your web browser.
      --global              Apply globally to all servers
  -h, --help                Gets help for grant.
      --operation string    Operation type: 'tool' or 'sampling' (default "tool")
      --permission string   Permission: 'allow', 'deny', or 'prompt' (default "allow")
      --scope string        Rule scope: 'global', or 'project' (default "global")
      --server string       Server name
      --tool string         Specific tool name (requires --server)

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

azd mcp consent list

List consent rules.

Synopsis

List all consent rules for MCP tools.

azd mcp consent list [flags]

Options

      --action string       Action type to filter by (readonly, any)
      --docs                Opens the documentation for azd mcp consent list in your web browser.
  -h, --help                Gets help for list.
      --operation string    Operation to filter by (tool, sampling)
      --permission string   Permission to filter by (allow, deny, prompt)
      --scope string        Consent scope to filter by (global, project). If not specified, lists rules from all scopes.
      --target string       Specific target to operate on (server/tool format)

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

azd mcp consent revoke

Revoke consent rules.

Synopsis

Revoke consent rules for MCP tools.

azd mcp consent revoke [flags]

Options

      --action string       Action type to filter by (readonly, any)
      --docs                Opens the documentation for azd mcp consent revoke in your web browser.
  -h, --help                Gets help for revoke.
      --operation string    Operation to filter by (tool, sampling)
      --permission string   Permission to filter by (allow, deny, prompt)
      --scope string        Consent scope to filter by (global, project). If not specified, revokes rules from all scopes.
      --target string       Specific target to operate on (server/tool format)

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

azd mcp start

Starts the MCP server.

Synopsis

Starts the Model Context Protocol (MCP) server.

This command starts an MCP server that can be used by MCP clients to access
azd functionality through the Model Context Protocol interface.

azd mcp start [flags]

Options

      --docs   Opens the documentation for azd mcp start in your web browser.
  -h, --help   Gets help for start.

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

azd monitor

Monitor a deployed project.

azd monitor [flags]

Options

      --docs                 Opens the documentation for azd monitor in your web browser.
  -e, --environment string   The name of the environment to use.
  -h, --help                 Gets help for monitor.
      --live                 Open a browser to Application Insights Live Metrics. Live Metrics is currently not supported for Python apps.
      --logs                 Open a browser to Application Insights Logs.
      --overview             Open a browser to Application Insights Overview Dashboard.

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

azd package

Packages the project's code to be deployed to Azure.

azd package <service> [flags]

Options

      --all                  Packages all services that are listed in azure.yaml
      --docs                 Opens the documentation for azd package in your web browser.
  -e, --environment string   The name of the environment to use.
  -h, --help                 Gets help for package.
      --output-path string   File or folder path where the generated packages will be saved.

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

azd pipeline

Manage and configure your deployment pipelines.

Options

      --docs   Opens the documentation for azd pipeline in your web browser.
  -h, --help   Gets help for pipeline.

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

azd pipeline config

Configure your deployment pipeline to connect securely to Azure. (Beta)

azd pipeline config [flags]

Options

  -m, --applicationServiceManagementReference string   Service Management Reference. References application or service contact information from a Service or Asset Management database. This value must be a Universally Unique Identifier (UUID). You can set this value globally by running azd config set pipeline.config.applicationServiceManagementReference <UUID>.
      --auth-type string                               The authentication type used between the pipeline provider and Azure for deployment (Only valid for GitHub provider). Valid values: federated, client-credentials.
      --docs                                           Opens the documentation for azd pipeline config in your web browser.
  -e, --environment string                             The name of the environment to use.
  -h, --help                                           Gets help for config.
      --principal-id string                            The client id of the service principal to use to grant access to Azure resources as part of the pipeline.
      --principal-name string                          The name of the service principal to use to grant access to Azure resources as part of the pipeline.
      --principal-role stringArray                     The roles to assign to the service principal. By default the service principal will be granted the Contributor and User Access Administrator roles. (default [Contributor,User Access Administrator])
      --provider string                                The pipeline provider to use (github for Github Actions and azdo for Azure Pipelines).
      --remote-name string                             The name of the git remote to configure the pipeline to run on. (default "origin")

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

azd provision

Provision Azure resources for your project.

azd provision [<layer>] [flags]

Options

      --docs                  Opens the documentation for azd provision in your web browser.
  -e, --environment string    The name of the environment to use.
  -h, --help                  Gets help for provision.
  -l, --location string       Azure location for the new environment
      --no-state              (Bicep only) Forces a fresh deployment based on current Bicep template files, ignoring any stored deployment state.
      --preview               Preview changes to Azure resources.
      --subscription string   ID of an Azure subscription to use for the new environment

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

azd publish

Publish a service to a container registry.

azd publish <service> [flags]

Options

      --all                   Publishes all services that are listed in azure.yaml
      --docs                  Opens the documentation for azd publish in your web browser.
  -e, --environment string    The name of the environment to use.
      --from-package string   Publishes the service from a container image (image tag).
  -h, --help                  Gets help for publish.
      --to string             The target container image in the form '[registry/]repository[:tag]' to publish to.

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

azd restore

Restores the project's dependencies.

azd restore <service> [flags]

Options

      --all                  Restores all services that are listed in azure.yaml
      --docs                 Opens the documentation for azd restore in your web browser.
  -e, --environment string   The name of the environment to use.
  -h, --help                 Gets help for restore.

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

azd show

Display information about your project and its resources.

azd show [resource-name|resource-id] [flags]

Options

      --docs                 Opens the documentation for azd show in your web browser.
  -e, --environment string   The name of the environment to use.
  -h, --help                 Gets help for show.
      --show-secrets         Unmask secrets in output.

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

azd template

Find and view template details.

Options

      --docs   Opens the documentation for azd template in your web browser.
  -h, --help   Gets help for template.

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

azd template list

Show list of sample azd templates. (Beta)

azd template list [flags]

Options

      --docs             Opens the documentation for azd template list in your web browser.
  -f, --filter strings   The tag(s) used to filter template results. Supports comma-separated values.
  -h, --help             Gets help for list.
  -s, --source string    Filters templates by source.

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

azd template show

Show details for a given template. (Beta)

azd template show <template> [flags]

Options

      --docs   Opens the documentation for azd template show in your web browser.
  -h, --help   Gets help for show.

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

azd template source

View and manage template sources. (Beta)

Options

      --docs   Opens the documentation for azd template source in your web browser.
  -h, --help   Gets help for source.

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

azd template source add

Adds an azd template source with the specified key. (Beta)

Synopsis

The key can be any value that uniquely identifies the template source, with well-known values being:
・default: Default templates
・awesome-azd: Templates from https://aka.ms/awesome-azd

azd template source add <key> [flags]

Options

      --docs              Opens the documentation for azd template source add in your web browser.
  -h, --help              Gets help for add.
  -l, --location string   Location of the template source. Required when using type flag.
  -n, --name string       Display name of the template source.
  -t, --type string       Kind of the template source. Supported types are 'file', 'url' and 'gh'.

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

azd template source list

Lists the configured azd template sources. (Beta)

azd template source list [flags]

Options

      --docs   Opens the documentation for azd template source list in your web browser.
  -h, --help   Gets help for list.

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

azd template source remove

Removes the specified azd template source (Beta)

azd template source remove <key> [flags]

Options

      --docs   Opens the documentation for azd template source remove in your web browser.
  -h, --help   Gets help for remove.

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

azd up

Provision and deploy your project to Azure with a single command.

azd up [flags]

Options

      --docs                  Opens the documentation for azd up in your web browser.
  -e, --environment string    The name of the environment to use.
  -h, --help                  Gets help for up.
  -l, --location string       Azure location for the new environment
      --subscription string   ID of an Azure subscription to use for the new environment

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

azd version

Print the version number of Azure Developer CLI.

azd version [flags]

Options

      --docs   Opens the documentation for azd version in your web browser.
  -h, --help   Gets help for version.

Options inherited from parent commands

  -C, --cwd string   Sets the current working directory.
      --debug        Enables debugging and diagnostics logging.
      --no-prompt    Accepts the default value instead of prompting, or it fails if there is no default.

See also

jongio and others added 8 commits March 11, 2026 14:01
@jongio
feat(azdext): Extension SDK improvements — integration, security, run…
c5da76f 
…time, cleanup

Consolidated PR covering issues Azure#6945, Azure#6946, Azure#6947, Azure#6948, Azure#6949:

- Key Vault resolver + config helpers (Azure#6945)
- Output + structured logging helpers (Azure#6946)
- Security validation + SSRF guard (Azure#6947)
- Runtime utilities: shell, file, process, TUI, tool discovery (Azure#6948)
- Post-Azure#6856 cleanup: context ownership, package boundaries (Azure#6949)

Fixes Azure#6945
Fixes Azure#6946
Fixes Azure#6947
Fixes Azure#6948
Fixes Azure#6949
@jongio
chore: address review feedback — process, shell, pagination, ssrf, kv…
42cc756 
… resolver

- Add nil-check guards to process utilities
- Fix shell detection edge cases
- Simplify pagination with bounds checks
- Harden SSRF guard with additional blocked ranges
- Expand KeyVault resolver with @Microsoft.KeyVault format support
- Add extensions.go and show.go improvements
- Add keyvault.go helper functions for reference parsing

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@jongio
chore: extract KeyVault resolver to separate PR
c297ef8 
Remove KeyVaultResolver, its tests, and keyvault.go helper additions
from this PR. The KV resolution feature is being tracked separately
as it is too large and contentious to bundle with other SDK improvements.

The feature will be submitted in a dedicated branch and PR.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@jongio
fix: address PR review feedback
64453db 
- Fix swap.go indentation (extra tab on idx assignment)
- Reject relative nextLink URLs in pagination (SSRF protection)
- Clarify sanitizeControlChars comment
- Use golang.org/x/term.IsTerminal for reliable TTY detection

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@jongio
chore: retrigger CI
00a428f 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@jongio
fix: address CI lint failures (cspell + gosec)
880280d 
- Add 9 words to cspell dictionary (Fprintf, myhost, IMDS, sctx, Println,
  exfiltration, gocritic, dockerenv, preconfigured)
- Add //nolint:gosec annotations for G703, G204, G115 false positives
  in atomicfile.go, shell.go, and tooldiscovery.go

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@jongio
Fix security and code quality audit findings
114e736 
- SSRF: Replace ad-hoc IP checks with comprehensive ssrfCheckIP() blocklist
- SSRF: Document DNS rebinding TOCTOU limitation with TODO
- Security: Case-insensitive path comparison on Windows
- Pagination: Clear error on response truncation instead of cryptic JSON fail
- API: Make SkipExpand unexported sentinel with IsSkipExpand() accessor
- Concurrency: Fix worker goroutine deadlock risk in ARM resource walker
- Container apps: Match target container by image repo instead of index 0
- Dedup: Fall back to ResourceName when ResourceID is empty
- Tests: Add AZD_DEBUG fallback tests, remove unsafe os.Unsetenv
- Cleanup: Deduplicate env expansion, use strconv.ParseBool consistently
- Docs: Security notes for local-before-PATH and dotted path rejection

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@jongio
fix: address CI failures (cspell + unused function)
f35035d 
- Add missing words to cspell dictionary: dedup, gradlew, managedhsm,
  microsoftazure, newtag, TTLs
- Remove unused checkIPEncodingVariants function flagged by golangci-lint

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@jongio jongio force-pushed the feature/ext-sdk-improvements branch from e5d5371 to f35035d Compare March 11, 2026 21:32
@jongio
fix: resolve compile errors and apply go fix modernization
d61c34a 
- Fix unused jitter variable in resilient_http_client.go
- Fix pagination_test.go: add fmt import, fix unused vars, fix body reference
- Apply go fix: use min() builtin, maps.Copy, range-over-int

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@wbreza wbreza Awaiting requested review from wbreza wbreza is a code owner

@vhvb1989 vhvb1989 Awaiting requested review from vhvb1989 vhvb1989 is a code owner

@hemarina hemarina Awaiting requested review from hemarina hemarina is a code owner

@weikanglim weikanglim Awaiting requested review from weikanglim weikanglim is a code owner

@JeffreyCA JeffreyCA Awaiting requested review from JeffreyCA JeffreyCA is a code owner

@tg-msft tg-msft Awaiting requested review from tg-msft tg-msft is a code owner

@rajeshkamal5050 rajeshkamal5050 Awaiting requested review from rajeshkamal5050 rajeshkamal5050 is a code owner

@trangevi trangevi Awaiting requested review from trangevi

@trrwilson trrwilson Awaiting requested review from trrwilson

@therealjohn therealjohn Awaiting requested review from therealjohn

At least 1 approving review is required to merge this pull request.

Assignees

@jongio jongio

Labels

None yet

Projects

None yet

Milestone

No milestone

3 participants

@jongio @azure-sdk