The Azure Key Vault CLI can be used to read and decrypt secrets, pass them securely to other commands, or inject them into configuration files.
Use Homebrew to install binaries for most macOS and Linux platforms, or build source when necessary.
You first need to install the tap, but only the first time:
brew tap heaths/tapOnce the tap is installed, you can install or update the akv-cli formulae:
brew install akv-cliIf you have Rust installed, you can also build the CLI on nearly any platform:
cargo install akv-cliInspired by the 1Password CLI, you can use similar commands to read and decrypt secrets and from Azure Key Vault.
Though the crate is named akv-cli, note that the actual program is named akv.
Some arguments can read environment variables, e.g., --vault which reads from AZURE_KEYVAULT_URL.
This information can be found in --help for commands. This makes it easy to pass just the secret name e.g.,
export AZURE_KEYVAULT_URL=https://my-vault.vault.azure.net
akv secret list
akv read --name my-secretYou can read a templated file or from stdin to inject secrets into the stream.
Any secret ID e.g., https://my-vault.vault.azure.net/secrets/my-secret between {{ }} will be replaced, if it exists.
echo "my-secret: {{ https://my-vault.vault.azure.net/secrets/my-secret }}" | akv injectYou can also read from stdin, or from files using --in-file e.g.,
cat <<'EOF' | akv inject -o config.json
{
"token": "{{ https://my-vault.vault.azure.net/secrets/my-secret/746984e474594896aad9aff48aca0849 }}"
}
EOFYou can pass secrets to terminal applications, though how exactly depends on your shell. For bash,
cargo login $(akv read https://my-vault.vault.azure.net/secrets/my-secret)Note that secrets in Key Vault are versioned. The example above reads the latest version, but you can also read any version. It's often important to refer to a specific version until you're ready to rotate to a new secret.
akv read https://my-vault.vault.azure.net/secrets/my-secret/746984e474594896aad9aff48aca0849You can start a process that reads environment variables containing URLs to secrets or compact JSON Web Encryption (JWE) tokens instead of keeping secrets in environment variables that any process can read.
Environment variables can contain only a URL to a secret or compact JWE.
Secrets read or decrypted from Azure Key Vault will be masked in stdout and stderr unless you pass --no-masking.
export SECRET_VAR=https://my-vault.vault.azure.net/secrets/my-secret
akv run -- printenv SECRET_VAR
akv run --no-masking -- printenv SECRET_VARYou can encrypt secrets to store as compact JSON Web Encryption (JWE) tokens. A content encryption key (CEK) is generated and encrypted (wrapped) by Key Vault. The CEK is used to encrypt your secrets, and the encrypted CEK along with the full key ID including the version are encoded within the compact JWE.
export AZURE_KEYVAULT_URL=https://my-vault.vault.azure.net
JWE=$(akv encrypt --name my-key 'plaintext')
akv decrypt $JWEIf you do not pass a --version, the latest key version is used to encrypt; however,
the full key ID including the version used is encoded to make sure that you can decrypt your data
even if your key has been rotated.
You can also encrypt files. Pass a path to --in-file or - to read from stdin.
Note that if you encrypt binary data, you cannot decrypt it to stdout but can write it to a file using decrypt --out-file.
You can create, get, edit, and list secrets e.g.,
akv secret list --vault https://my-vault.vault.azure.netRead complete usage using --help:
akv secret --helpThough still a work in progress, inspiration was derived from the 1Password CLI. As the previous primary developer on the Azure Key Vault SDK for .NET and current primary developer on the Azure SDK for Rust - including Key Vault - I wanted to make something useful to test our initial prerelease of the Rust class libraries.
Licensed under the MIT license.