akv-cli 0.9.1

The Azure Key Vault CLI (unofficial) can read secrets from Key Vault, securely pass secrets to other commands or inject them into configuration files, encrypt and decrypt secrets, and managed keys and secrets in Key Vault.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122

# Copyright 2026 Heath Stewart.
# Licensed under the MIT License. See LICENSE.txt in the project root for license information.

#Requires -Modules @{ ModuleName = 'Pester'; ModuleVersion = '5.0.0' }

# Run with: Invoke-Pester tests/Secrets.Tests.ps1
# Pass -Release to test a release build:
#   $container = New-PesterContainer -Path ./tests/Secrets.Tests.ps1 -Data @{ Release = $true }
#   $config = New-PesterConfiguration
#   $config.Run.Container = $container
#   Invoke-Pester -Configuration $config
#
# Requires a provisioned Key Vault via `azd up` or AZURE_KEYVAULT_URL set in the environment.

param(
    [switch] $Release
)

# cspell:ignore LASTEXITCODE
Describe 'Secrets' -Tag 'Secrets' {
    BeforeAll {
        # Build the binary before running tests.
        $repoRoot = Join-Path $PSScriptRoot '..' -Resolve
        if ($Release) {
            Write-Host 'Building release binary...'
            cargo build --release 2>&1
            $script:akv = Join-Path $repoRoot 'target' 'release' 'akv'
        } else {
            Write-Host 'Building debug binary...'
            cargo build 2>&1
            $script:akv = Join-Path $repoRoot 'target' 'debug' 'akv'
        }

        if ($LASTEXITCODE -ne 0) {
            throw "cargo build failed with exit code $LASTEXITCODE"
        }

        # Resolve AZURE_KEYVAULT_URL from the environment or via azd.
        $script:AZURE_KEYVAULT_URL = if ($env:AZURE_KEYVAULT_URL) {
            $env:AZURE_KEYVAULT_URL
        } else {
            azd env get-value AZURE_KEYVAULT_URL 2>$null
        }

        if (-not $script:AZURE_KEYVAULT_URL) {
            throw "AZURE_KEYVAULT_URL is not set. Run 'azd up' to provision resources first."
        }

        $script:AZURE_KEYVAULT_URL = $script:AZURE_KEYVAULT_URL.TrimEnd('/')

        $script:secretName = 'test-secret'

        # Create first version and capture the versioned ID.
        $v1 = & $script:akv secret create "${script:secretName}=version1" --vault $script:AZURE_KEYVAULT_URL --output json | ConvertFrom-Json
        $script:secretV1Url = $v1.id

        # Create second version by setting the same secret name with a new value.
        $v2 = & $script:akv secret create "${script:secretName}=version2" --vault $script:AZURE_KEYVAULT_URL --output json | ConvertFrom-Json
        $script:secretV2Url = $v2.id
    }

    Context 'Select by URL' -Tag 'URL' {
        It 'edits a secret using URL form' {
            $result = & $script:akv secret edit $script:secretV1Url --tags env=test --output json | ConvertFrom-Json
            $LASTEXITCODE | Should -Be 0
            $result.id | Should -Match "/secrets/${script:secretName}/"
        }

        It 'lists versions using URL form' {
            $versions = & $script:akv secret list-versions $script:secretV1Url --output json | ConvertFrom-Json
            $LASTEXITCODE | Should -Be 0
            $versions.Count | Should -BeGreaterOrEqual 2
        }

        It 'gets a versioned secret using URL form' {
            $result = & $script:akv secret get $script:secretV1Url --output json | ConvertFrom-Json
            $LASTEXITCODE | Should -Be 0
            $result.id | Should -Be $script:secretV1Url
        }

        It 'gets the latest (versionless) secret using URL form' {
            $versionlessUrl = "${script:AZURE_KEYVAULT_URL}/secrets/${script:secretName}"
            $result = & $script:akv secret get $versionlessUrl --output json | ConvertFrom-Json
            $LASTEXITCODE | Should -Be 0
            $result.id | Should -Match "/secrets/${script:secretName}/"
        }

        It 'reads a versioned secret using URL form' {
            $value = & $script:akv read $script:secretV1Url -n
            $LASTEXITCODE | Should -Be 0
            $value | Should -Be 'version1'
        }
    }

    Context 'Select by --name' -Tag 'Name' {
        It 'edits a secret using --name' {
            $result = & $script:akv secret edit --name $script:secretName --vault $script:AZURE_KEYVAULT_URL --tags env=test --output json | ConvertFrom-Json
            $LASTEXITCODE | Should -Be 0
            $result.id | Should -Match "/secrets/${script:secretName}/"
        }

        It 'lists versions using --name' {
            $versions = & $script:akv secret list-versions --name $script:secretName --vault $script:AZURE_KEYVAULT_URL --output json | ConvertFrom-Json
            $LASTEXITCODE | Should -Be 0
            $versions.Count | Should -BeGreaterOrEqual 2
        }

        It 'gets the latest (versionless) secret using --name' {
            # Latest version (v2) should differ from v1 URL.
            $result = & $script:akv secret get --name $script:secretName --vault $script:AZURE_KEYVAULT_URL --output json | ConvertFrom-Json
            $LASTEXITCODE | Should -Be 0
            $result.id | Should -Match "/secrets/${script:secretName}/"
            $result.id | Should -Not -Be $script:secretV1Url
        }

        It 'reads the latest secret using --name' {
            $value = & $script:akv read --name $script:secretName --vault $script:AZURE_KEYVAULT_URL -n
            $LASTEXITCODE | Should -Be 0
            $value | Should -Be 'version2'
        }
    }
}