https://github.com/adamrtalbot/azkeyget

Science Score: 26.0%

This score indicates how likely this project is to be science-related based on various indicators:

○
CITATION.cff file
✓
codemeta.json file
Found codemeta.json file
✓
.zenodo.json file
Found .zenodo.json file
○
DOI references
○
Academic publication links
○
Academic email domains
○
Institutional organization owner
○
JOSS paper metadata
○
Scientific vocabulary similarity
Low similarity (12.6%) to scientific vocabulary

Last synced: 10 months ago · JSON representation

Repository

Basic Info

Host: GitHub
Owner: adamrtalbot
License: mit
Language: Go
Default Branch: main
Size: 179 KB

Statistics

Stars: 0
Watchers: 0
Forks: 0
Open Issues: 0
Releases: 3

Created 11 months ago · Last pushed 10 months ago

Metadata Files

Readme License

azkeyget

A lightweight CLI tool for retrieving secrets from Azure Key Vault.

Motivation

I wanted a simple tool that I could use in my scripts and CI/CD pipeline to retrieve secrets from Azure Key Vault without installing the full Azure CLI. Ideally, it would be a small binary I could install on a variety of platforms without additional configuration or dependencies, while being completely portable.

azkeyget is a small, portable CLI tool that retrieves secrets from Azure Key Vault. It's designed to be easy to use and package so you can quickly add it to machine images or containers.

Installation

Download the latest release

Download the latest release from the releases page.

Build from Source

```bash git clone cd azkeyget make build

or

go build -o azkeyget ./cmd/azkeyget ```

Prerequisites

Go 1.23 or later
Appropriate Azure permissions to access the target Key Vault

Usage

Basic Usage

bash azkeyget --vault-url <VAULT_URL> --secret <SECRET_NAME> [OPTIONS]

All parameters can be provided via command line flags or environment variables. Environment variables are used as defaults when CLI flags are not specified.

Environment Variables

| Environment Variable | CLI Flag | Description | |---------------------|----------|-------------| | AZURE_KEYVAULT_URL | --vault-url | Azure Key Vault URL | | AZURE_KEYVAULT_SECRET_NAME | --secret | Name of the secret to retrieve | | AZURE_AUTH_METHOD | --auth | Authentication method | | AZURE_CLIENT_ID | --client-id | Client ID for authentication | | AZURE_CLIENT_SECRET | --client-secret | Client secret for service principal | | AZURE_TENANT_ID | --tenant-id | Tenant ID for service principal | | AZURE_USER_ASSIGNED_ID | --user-assigned-id | User-assigned managed identity client ID | | AZURE_DEBUG | --debug | Enable debug logging (true/1/yes/on) |

Authentication Methods

Default Authentication (Recommended)

Uses the Azure SDK's default credential chain, which tries multiple authentication methods in order:

```bash azkeyget --vault-url https://myvault.vault.azure.net/ --secret mysecret

Or using environment variables

export AZUREKEYVAULTURL=https://myvault.vault.azure.net/ export AZUREKEYVAULTSECRET_NAME=mysecret azkeyget ```

System Managed Identity

For Azure VMs, App Service, or other Azure resources with system-assigned managed identity:

```bash azkeyget --vault-url https://myvault.vault.azure.net/ --secret mysecret --auth system-mi

Or using environment variables

export AZUREKEYVAULTURL=https://myvault.vault.azure.net/ export AZUREKEYVAULTSECRETNAME=mysecret export AZUREAUTH_METHOD=system-mi azkeyget ```

User-Assigned Managed Identity

For resources with user-assigned managed identity:

```bash azkeyget --vault-url https://myvault.vault.azure.net/ --secret mysecret --auth user-mi --client-id 12345678-1234-1234-1234-123456789012

Or using environment variables

export AZUREKEYVAULTURL=https://myvault.vault.azure.net/ export AZUREKEYVAULTSECRETNAME=mysecret export AZUREAUTHMETHOD=user-mi export AZURECLIENT_ID=12345678-1234-1234-1234-123456789012 azkeyget ```

Service Principal

For application authentication with client credentials:

```bash azkeyget --vault-url https://myvault.vault.azure.net/ --secret mysecret --auth service-principal \ --client-id YOURCLIENTID \ --client-secret YOURCLIENTSECRET \ --tenant-id YOURTENANTID

Or using environment variables

export AZUREKEYVAULTURL=https://myvault.vault.azure.net/ export AZUREKEYVAULTSECRETNAME=mysecret export AZUREAUTHMETHOD=service-principal export AZURECLIENTID=YOURCLIENTID export AZURECLIENTSECRET=YOURCLIENTSECRET export AZURETENANTID=YOURTENANT_ID azkeyget ```

Command Line Options

| Flag | Short | Environment Variable | Description | Required | |------|-------|---------------------|-------------|----------| | --vault-url | -v | AZURE_KEYVAULT_URL | Azure Key Vault URL | Yes* | | --secret | -s | AZURE_KEYVAULT_SECRET_NAME | Name of the secret to retrieve | Yes* | | --auth | -a | AZURE_AUTH_METHOD | Authentication method: default, system-mi, user-mi, service-principal | No (default: default) | | --client-id | | AZURE_CLIENT_ID | Client ID for service principal or user-assigned managed identity | Conditional | | --client-secret | | AZURE_CLIENT_SECRET | Client secret for service principal authentication | Conditional | | --tenant-id | | AZURE_TENANT_ID | Tenant ID for service principal authentication | Conditional | | --user-assigned-id | | AZURE_USER_ASSIGNED_ID | Alternative to --client-id for user-assigned managed identity | No | | --debug | | AZURE_DEBUG | Enable debug logging | No |

*Required unless provided via environment variable

Examples

Get a database connection string

```bash

Using CLI flags

DB_CONNECTION=$(azkeyget -v https://myvault.vault.azure.net/ -s database-connection-string) echo "Connection string retrieved"

Using environment variables

export AZUREKEYVAULTURL=https://myvault.vault.azure.net/ export AZUREKEYVAULTSECRETNAME=database-connection-string DBCONNECTION=$(azkeyget) echo "Connection string retrieved" ```

Use in a script with error handling

```bash

!/bin/bash

Set up environment for the script

export AZUREKEYVAULTURL=https://myvault.vault.azure.net/ export AZUREAUTHMETHOD=system-mi

SECRET=$(azkeyget --secret api-key 2>/dev/null) if [ $? -eq 0 ]; then echo "Secret retrieved successfully" # Use $SECRET in your application else echo "Failed to retrieve secret" >&2 exit 1 fi ```

CI/CD Pipeline with Service Principal

```bash

Set in your CI/CD environment

export AZUREKEYVAULTURL=https://myvault.vault.azure.net/ export AZUREAUTHMETHOD=service-principal export AZURECLIENTID=${{ secrets.AZURECLIENTID }} export AZURECLIENTSECRET=${{ secrets.AZURECLIENTSECRET }} export AZURETENANTID=${{ secrets.AZURETENANTID }}

Retrieve multiple secrets

APIKEY=$(azkeyget --secret api-key) DBPASSWORD=$(azkeyget --secret db-password) ```

Permissions

The identity used for authentication must have the following Key Vault permissions: - Secret permissions: Get

You can assign these permissions through: - Azure RBAC: Key Vault Secrets User role - Access policies: Get permission for secrets

Error Handling

The tool returns appropriate exit codes: - 0: Success - 1: Error (authentication failure, secret not found, network issues, etc.)

Error messages are written to stderr, while the secret value is written to stdout.

Default Azure Credential Chain

When using --auth default (or omitting the auth flag), the tool attempts authentication in this order:

Environment variables: AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_TENANT_ID
Workload Identity: For AKS workload identity
Managed Identity: System or user-assigned managed identity
Azure CLI: If logged in via az login
Azure PowerShell: If logged in via Azure PowerShell
Visual Studio: If logged in via Visual Studio
VS Code: If logged in via VS Code Azure extension

Troubleshooting

Common Issues

Authentication failed - Verify the identity has proper Key Vault permissions - Check that the authentication method matches your environment - For service principal auth, verify client ID, secret, and tenant ID

Secret not found - Verify the secret name is correct (case-sensitive) - Check that the secret exists and is enabled - Ensure the Key Vault URL is correct

Network issues - Verify connectivity to the Key Vault - Check firewall rules if using Key Vault network restrictions

Debug Mode

Enable debug logging to get detailed information about the authentication and secret retrieval process:

```bash

Using CLI flag

azkeyget --vault-url https://myvault.vault.azure.net/ --secret mysecret --debug

Using environment variable

export AZURE_DEBUG=true azkeyget --vault-url https://myvault.vault.azure.net/ --secret mysecret ```

Debug output includes:

Configuration details (vault URL, auth method, etc.)
Authentication method being used
Credential creation process
Key Vault client creation
Secret retrieval steps

Note: Debug information is written to stderr, while the secret value is still written to stdout, so you can still capture the secret value while debugging:

```bash SECRET=$(azkeyget --vault-url https://myvault.vault.azure.net/ --secret mysecret --debug)

Debug info goes to stderr, secret value is captured in $SECRET

```

Testing

Run the test suite to ensure everything works correctly:

```bash

Run all tests

go test -v

Run only unit tests (faster, no external dependencies)

go test -v -run "^(TestGetEnvOrDefault|TestCreateCredential|TestEnvironmentVariableIntegration)$"

Run with coverage

go test -v -cover ```

The test suite includes: - Unit tests for environment variable handling and credential creation

Development

Development Dependencies

The project uses several development tools that are declared in tools.go and managed via go.mod:

golangci-lint - Comprehensive Go linter
go-critic - Go source code checker
goimports - Tool to update Go import lines
gocyclo - Cyclomatic complexity analyzer
revive - Fast, configurable, extensible Go linter

Installing Development Tools

```bash

Install all development tools

make install-tools

Or install individually

go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest go install github.com/go-critic/go-critic/cmd/gocritic@latest go install golang.org/x/tools/cmd/goimports@latest go install github.com/fzipp/gocyclo/cmd/gocyclo@latest go install github.com/mgechev/revive@latest ```

Development Workflow

```bash

Format code

make fmt

Run linters

make lint

Run tests

make test

Run all checks

make check

Build binary

make build ```

Pre-commit Hooks

The project uses pre-commit hooks to ensure code quality. Install them with:

```bash pip install pre-commit pre-commit install

Run hooks manually

pre-commit run --all-files

Or use make

make pre-commit ```

Contributing

Contributions are welcome! Please ensure all changes:

Include appropriate tests
Pass all linting checks (make lint)
Follow Go best practices
Include documentation updates if needed

The pre-commit hooks will automatically run formatting, linting, and tests before each commit.

Project Structure

azkeyget/ ├── cmd/azkeyget/ # Main application ├── .github/workflows/ # CI/CD workflows ├── Makefile # Development tasks ├── README.md # This file └── LICENSE # MIT License

License

This project is licensed under the MIT License - see the LICENSE file for details.

Owner

Name: Adam Talbot
Login: adamrtalbot
Kind: user
Location: Warwick, UK
Company: @seqeralabs

Twitter: adamrtalbot
Repositories: 48
Profile: https://github.com/adamrtalbot

Bioinformatics Engineer at @seqeralabs

GitHub Events

Total

Create event: 10
Issues event: 1
Release event: 3
Delete event: 5
Push event: 17
Pull request event: 18

Last Year

Create event: 10
Issues event: 1
Release event: 3
Delete event: 5
Push event: 17
Pull request event: 18

Issues and Pull Requests

Last synced: 10 months ago

All Time

Total issues: 1
Total pull requests: 9
Average time to close issues: N/A
Average time to close pull requests: 1 day
Total issue authors: 1
Total pull request authors: 3
Average comments per issue: 0.0
Average comments per pull request: 0.0
Merged pull requests: 7
Bot issues: 1
Bot pull requests: 8

Past Year

Issues: 1
Pull requests: 9
Average time to close issues: N/A
Average time to close pull requests: 1 day
Issue authors: 1
Pull request authors: 3
Average comments per issue: 0.0
Average comments per pull request: 0.0
Merged pull requests: 7
Bot issues: 1
Bot pull requests: 8

View more stats

Top Authors

Issue Authors

renovate[bot] (1)

Pull Request Authors

dependabot[bot] (6)
renovate[bot] (2)
adamrtalbot (1)

Top Labels

Issue Labels

Pull Request Labels

dependencies (6) go (3) github_actions (3) security (1)

Dependencies

.github/workflows/ci.yml actions

actions/cache v4 composite
actions/checkout v4 composite
actions/setup-go v5 composite
actions/upload-artifact v4 composite
codecov/codecov-action v3 composite
golangci/golangci-lint-action v4 composite

.github/workflows/release.yml actions

actions/checkout v4 composite
actions/setup-go v5 composite
goreleaser/goreleaser-action v5 composite

go.mod go

4d63.com/gocheckcompilerdirectives v1.3.0
4d63.com/gochecknoglobals v0.2.2
codeberg.org/chavacava/garif v0.2.0
github.com/4meepo/tagalign v1.4.2
github.com/Abirdcfly/dupword v0.1.3
github.com/Antonboom/errname v1.0.0
github.com/Antonboom/nilnil v1.0.1
github.com/Antonboom/testifylint v1.5.2
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.2
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.11.0
github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.4.0
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.2.0
github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2
github.com/BurntSushi/toml v1.5.0
github.com/Crocmagnon/fatcontext v0.7.1
github.com/Djarvur/go-err113 v0.0.0-20210108212216-aea10b59be24
github.com/GaijinEntertainment/go-exhaustruct/v3 v3.3.1
github.com/Masterminds/semver/v3 v3.3.0
github.com/OpenPeeDeeP/depguard/v2 v2.2.1
github.com/alecthomas/go-check-sumtype v0.3.1
github.com/alexkohler/nakedret/v2 v2.0.5
github.com/alexkohler/prealloc v1.0.0
github.com/alingse/asasalint v0.0.11
github.com/alingse/nilnesserr v0.1.2
github.com/ashanbrown/forbidigo v1.6.0
github.com/ashanbrown/makezero v1.2.0
github.com/beorn7/perks v1.0.1
github.com/bkielbasa/cyclop v1.2.3
github.com/blizzy78/varnamelen v0.8.0
github.com/bombsimon/wsl/v4 v4.5.0
github.com/breml/bidichk v0.3.2
github.com/breml/errchkjson v0.4.0
github.com/butuzov/ireturn v0.3.1
github.com/butuzov/mirror v1.3.0
github.com/catenacyber/perfsprint v0.8.2
github.com/ccojocar/zxcvbn-go v1.0.2
github.com/cespare/xxhash/v2 v2.3.0
github.com/charithe/durationcheck v0.0.10
github.com/ckaznocha/intrange v0.3.0
github.com/cristalhq/acmd v0.12.0
github.com/curioswitch/go-reassign v0.3.0
github.com/daixiang0/gci v0.13.5
github.com/davecgh/go-spew v1.1.1
github.com/denis-tingaikin/go-header v0.5.0
github.com/ettle/strcase v0.2.0
github.com/fatih/color v1.18.0
github.com/fatih/structtag v1.2.0
github.com/firefart/nonamedreturns v1.0.5
github.com/fsnotify/fsnotify v1.5.4
github.com/fzipp/gocyclo v0.6.0
github.com/ghostiam/protogetter v0.3.9
github.com/go-critic/go-critic v0.13.0
github.com/go-toolsmith/astcast v1.1.0
github.com/go-toolsmith/astcopy v1.1.0
github.com/go-toolsmith/astequal v1.2.0
github.com/go-toolsmith/astfmt v1.1.0
github.com/go-toolsmith/astp v1.1.0
github.com/go-toolsmith/pkgload v1.2.2
github.com/go-toolsmith/strparse v1.1.0
github.com/go-toolsmith/typep v1.1.0
github.com/go-viper/mapstructure/v2 v2.2.1
github.com/go-xmlfmt/xmlfmt v1.1.3
github.com/gobwas/glob v0.2.3
github.com/gofrs/flock v0.12.1
github.com/golang-jwt/jwt/v5 v5.3.0
github.com/golang/protobuf v1.5.3
github.com/golangci/dupl v0.0.0-20250308024227-f665c8d69b32
github.com/golangci/go-printf-func-name v0.1.0
github.com/golangci/gofmt v0.0.0-20250106114630-d62b90e6713d
github.com/golangci/golangci-lint v1.64.8
github.com/golangci/misspell v0.6.0
github.com/golangci/plugin-module-register v0.1.1
github.com/golangci/revgrep v0.8.0
github.com/golangci/unconvert v0.0.0-20240309020433-c5143eacb3ed
github.com/google/go-cmp v0.7.0
github.com/google/uuid v1.6.0
github.com/gordonklaus/ineffassign v0.1.0
github.com/gostaticanalysis/analysisutil v0.7.1
github.com/gostaticanalysis/comment v1.5.0
github.com/gostaticanalysis/forcetypeassert v0.2.0
github.com/gostaticanalysis/nilerr v0.1.1
github.com/hashicorp/go-immutable-radix/v2 v2.1.0
github.com/hashicorp/go-version v1.7.0
github.com/hashicorp/golang-lru/v2 v2.0.7
github.com/hashicorp/hcl v1.0.0
github.com/hexops/gotextdiff v1.0.3
github.com/inconshreveable/mousetrap v1.1.0
github.com/jgautheron/goconst v1.7.1
github.com/jingyugao/rowserrcheck v1.1.1
github.com/jjti/go-spancheck v0.6.4
github.com/julz/importas v0.2.0
github.com/karamaru-alpha/copyloopvar v1.2.1
github.com/kisielk/errcheck v1.9.0
github.com/kkHAIKE/contextcheck v1.1.6
github.com/kulti/thelper v0.6.3
github.com/kunwardeep/paralleltest v1.0.10
github.com/kylelemons/godebug v1.1.0
github.com/lasiar/canonicalheader v1.1.2
github.com/ldez/exptostd v0.4.2
github.com/ldez/gomoddirectives v0.6.1
github.com/ldez/grignotin v0.9.0
github.com/ldez/tagliatelle v0.7.1
github.com/ldez/usetesting v0.4.2
github.com/leonklingele/grouper v1.1.2
github.com/macabu/inamedparam v0.1.3
github.com/magiconair/properties v1.8.6
github.com/maratori/testableexamples v1.0.0
github.com/maratori/testpackage v1.1.1
github.com/matoous/godox v1.1.0
github.com/mattn/go-colorable v0.1.14
github.com/mattn/go-isatty v0.0.20
github.com/matttproud/golang_protobuf_extensions v1.0.1
github.com/mgechev/dots v1.0.0
github.com/mgechev/revive v1.11.0
github.com/mitchellh/go-homedir v1.1.0
github.com/mitchellh/mapstructure v1.5.0
github.com/moricho/tparallel v0.3.2
github.com/nakabonne/nestif v0.3.1
github.com/nishanths/exhaustive v0.12.0
github.com/nishanths/predeclared v0.2.2
github.com/nunnatsa/ginkgolinter v0.19.1
github.com/pelletier/go-toml v1.9.5
github.com/pelletier/go-toml/v2 v2.2.3
github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c
github.com/pmezard/go-difflib v1.0.0
github.com/polyfloyd/go-errorlint v1.7.1
github.com/prometheus/client_golang v1.12.1
github.com/prometheus/client_model v0.2.0
github.com/prometheus/common v0.32.1
github.com/prometheus/procfs v0.7.3
github.com/quasilyte/go-ruleguard v0.4.4
github.com/quasilyte/go-ruleguard/dsl v0.3.22
github.com/quasilyte/gogrep v0.5.0
github.com/quasilyte/regex/syntax v0.0.0-20210819130434-b3f0c404a727
github.com/quasilyte/stdinfo v0.0.0-20220114132959-f7386bf02567
github.com/raeperd/recvcheck v0.2.0
github.com/rogpeppe/go-internal v1.14.1
github.com/ryancurrah/gomodguard v1.3.5
github.com/ryanrolds/sqlclosecheck v0.5.1
github.com/sanposhiho/wastedassign/v2 v2.1.0
github.com/santhosh-tekuri/jsonschema/v6 v6.0.1
github.com/sashamelentyev/interfacebloat v1.1.0
github.com/sashamelentyev/usestdlibvars v1.28.0
github.com/securego/gosec/v2 v2.22.2
github.com/sirupsen/logrus v1.9.3
github.com/sivchari/containedctx v1.0.3
github.com/sivchari/tenv v1.12.1
github.com/sonatard/noctx v0.1.0
github.com/sourcegraph/go-diff v0.7.0
github.com/spf13/afero v1.14.0
github.com/spf13/cast v1.5.0
github.com/spf13/cobra v1.9.1
github.com/spf13/jwalterweatherman v1.1.0
github.com/spf13/pflag v1.0.6
github.com/spf13/viper v1.12.0
github.com/ssgreg/nlreturn/v2 v2.2.1
github.com/stbenjam/no-sprintf-host-port v0.2.0
github.com/stretchr/objx v0.5.2
github.com/stretchr/testify v1.10.0
github.com/subosito/gotenv v1.4.1
github.com/tdakkota/asciicheck v0.4.1
github.com/tetafro/godot v1.5.0
github.com/timakin/bodyclose v0.0.0-20241017074812-ed6a65f985e3
github.com/timonwong/loggercheck v0.10.1
github.com/tomarrell/wrapcheck/v2 v2.10.0
github.com/tommy-muehle/go-mnd/v2 v2.5.1
github.com/ultraware/funlen v0.2.0
github.com/ultraware/whitespace v0.2.0
github.com/uudashr/gocognit v1.2.0
github.com/uudashr/iface v1.3.1
github.com/xen0n/gosmopolitan v1.2.2
github.com/yagipy/maintidx v1.0.0
github.com/yeya24/promlinter v0.3.0
github.com/ykadowak/zerologlint v0.1.5
gitlab.com/bosi/decorder v0.4.2
go-simpler.org/musttag v0.13.0
go-simpler.org/sloglint v0.9.0
go.uber.org/atomic v1.7.0
go.uber.org/automaxprocs v1.6.0
go.uber.org/multierr v1.6.0
go.uber.org/zap v1.24.0
golang.org/x/crypto v0.40.0
golang.org/x/exp/typeparams v0.0.0-20250210185358-939b2ce775ac
golang.org/x/mod v0.26.0
golang.org/x/net v0.42.0
golang.org/x/sync v0.16.0
golang.org/x/sys v0.34.0
golang.org/x/text v0.27.0
golang.org/x/tools v0.35.0
golang.org/x/tools/go/expect v0.1.1-deprecated
golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated
google.golang.org/protobuf v1.36.5
gopkg.in/ini.v1 v1.67.0
gopkg.in/yaml.v2 v2.4.0
gopkg.in/yaml.v3 v3.0.1
honnef.co/go/tools v0.6.1
mvdan.cc/gofumpt v0.7.0
mvdan.cc/unparam v0.0.0-20240528143540-8a5130ca722f

go.sum go

772 dependencies