| title | description | lastUpdated | tags | |||||
|---|---|---|---|---|---|---|---|---|
azd exec |
Execute any script with full access to your Azure Developer CLI environment variables and Azure credentials |
2026-01-09 |
|
Execute any script with full access to your Azure Developer CLI environment variables and Azure credentials.
Run any script with your full Azure contextβno manual environment setup.
azd exec ./deploy.shThat's it. Your script has access to all azd environment variables, Azure credentials, and configuration.
|
Automatically detects and runs bash, sh, zsh, PowerShell, pwsh, and cmd scripts based on file extension or shebang. Pass arguments to your scripts seamlessly with the Access all azd environment variables including subscription, tenant, location, and custom variables. |
Execute scripts from any directory with the Run scripts with interactive input support for prompts and user interaction. Automatically resolves Key Vault references in environment variables, securely fetching secrets at runtime. Comprehensive security scanning with CodeQL and gosec (0 vulnerabilities). 86%+ test coverage. |
IMPORTANT: azd exec executes scripts with full access to your Azure credentials and environment. Follow these security best practices:
β Safe Practices
- Only run scripts you trust and have reviewed
- Review script contents before execution (
cat ./script.sh) - Use inline scripts only for simple, trusted operations
- Use HTTPS for downloads, never HTTP
- Verify script sources from official Azure documentation or trusted repositories
β Dangerous Practices
- Never pipe untrusted scripts:
curl https://random-site.com/script.sh | azd exec - - Don't run scripts from unknown sources
- Avoid storing secrets in environment variables (use Azure Key Vault instead)
- Don't blindly copy/paste inline commands without understanding them
What Scripts Can Access:
- π Azure authentication context (subscription, tenant, credentials)
- π All environment variables (including secrets)
- π Full filesystem access
- π Network access
Inline vs File-based Scripts:
- File scripts: Can be reviewed before execution with
cator editor - Inline scripts: Execute immediatelyβensure you understand the command first
- Best practice: Use file scripts for complex operations, inline for simple queries
For detailed security information, see Security Documentation and Threat Model.
Windows
winget install microsoft.azdmacOS
brew tap azure/azd && brew install azdLinux
curl -fsSL https://aka.ms/install-azd.sh | bash# Enable azd extensions
azd config set alpha.extension.enabled on
# Add the extension registry
azd extension source add -n azd-exec -t url -l https://raw.githubusercontent.com/jongio/azd-exec/main/registry.json
# Install the extension
azd extension install jongio.azd.exec
# Verify installation
azd exec version# Review the script first
cat ./deploy.sh
# Then execute
azd exec ./deploy.sh# Execute a script file
azd exec ./my-script.sh
# Execute an inline command
azd exec 'echo "Hello, $AZURE_ENV_NAME"'For complete command reference, see CLI Reference.
azd exec --shell pwsh ./deploy.ps1
# Inline with specific shell
azd exec --shell pwsh 'Write-Host $env:AZURE_ENV_NAME'azd exec ./build.sh --verbose --config release
# azd exec flags go before the script; script args go after it
# example with cwd flag: azd exec --cwd /path/to/project ./build.sh --verboseazd exec --cwd /path/to/project ./scripts/setup.sh
# Inline with working directory
azd exec --cwd /tmp 'echo $(pwd)'azd exec --interactive ./interactive-setup.sh|
Bash Script File #!/bin/bash
# deploy.sh
echo "Environment: $AZURE_ENV_NAME"
echo "Subscription: $AZURE_SUBSCRIPTION_ID"
echo "Location: $AZURE_LOCATION"
azd deploy --allBash Inline azd exec 'echo "Deploying to $AZURE_ENV_NAME"'
azd exec 'for i in {1..3}; do echo "Step $i"; done' |
PowerShell Script File # setup.ps1
Write-Host "Environment: $env:AZURE_ENV_NAME"
Write-Host "Resource Group: $env:AZURE_RESOURCE_GROUP"
# Your setup logic herePowerShell Inline azd exec --shell pwsh 'Write-Host "Hello from $env:AZURE_ENV_NAME"'
azd exec --shell pwsh 'Get-ChildItem Env: | Where-Object Name -like "AZURE_*"' |
Run script files:
# First, review the script
cat ./deploy.sh
# Then execute
azd exec ./deploy.shScripts executed by azd exec have access to all azd environment variables:
| Variable | Description |
|---|---|
AZURE_ENV_NAME |
Current azd environment name |
AZURE_SUBSCRIPTION_ID |
Azure subscription ID |
AZURE_LOCATION |
Azure region/location |
AZURE_RESOURCE_GROUP |
Resource group name |
AZURE_TENANT_ID |
Azure tenant ID |
| Custom variables | All environment variables from your azd environment |
azd exec automatically resolves Azure Key Vault references in environment variables, allowing you to securely store and access secrets without hardcoding them.
Note: Key Vault resolution is provided by the azd-core library, a shared utility for Azure Developer CLI tools.
Format 1: SecretUri
@Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/my-secret)
@Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/my-secret/abc123)Format 2: VaultName and SecretName
@Microsoft.KeyVault(VaultName=myvault;SecretName=my-secret)
@Microsoft.KeyVault(VaultName=myvault;SecretName=my-secret;SecretVersion=abc123)Format 3: azd akvs URI
akvs://c3b3091e-400e-43a7-8ee5-e6e8cefdbebf/myvault/my-secret
akvs://c3b3091e-400e-43a7-8ee5-e6e8cefdbebf/myvault/my-secret/abc123Note: azd may export environment variables with quotes; azd exec trims whitespace and strips a single pair of wrapper quotes before detecting/parsing Key Vault references. The akvs:// format (Format 3) is used internally by azd and includes a subscription/tenant GUID, vault name, secret name, and optional version.
1. Store a secret in Azure Key Vault:
az keyvault secret set --vault-name myvault --name database-password --value "SuperSecret123!"2. Set environment variable with Key Vault reference:
azd env set-secret DATABASE_PASSWORD3. Use in your script:
#!/bin/bash
# deploy.sh
echo "Connecting to database..."
# DATABASE_PASSWORD is automatically resolved to the actual secret value
mysql -u admin -p"$DATABASE_PASSWORD" -h myserver.mysql.database.azure.com4. Run the script:
azd exec ./deploy.shazd execscans environment variables for Key Vault references- Uses Azure DefaultAzureCredential (same authentication as azd)
- Fetches secret values from Key Vault before running your script
- Passes resolved values to your script securely
- If resolution fails, warns but continues with original values
Key Vault resolution uses the same Azure credentials that azd uses:
- Azure CLI (
az login) - Managed Identity (when running on Azure)
- Environment variables (
AZURE_CLIENT_ID,AZURE_CLIENT_SECRET,AZURE_TENANT_ID) - Visual Studio / VS Code authentication
If Key Vault resolution fails (e.g., secret not found, no access, vault doesn't exist):
- A warning is displayed to stderr (secret values are never printed)
azd execcontinues resolving other Key Vault references- Successfully resolved secrets are substituted with their values
- Failed references remain unchanged (still
akvs://...or@Microsoft.KeyVault(...))
To fail-fast (abort on the first Key Vault resolution error), use:
azd exec --stop-on-keyvault-error ./script.sh- β No secrets in code: Store references, not actual secrets
- β Centralized management: Update secrets in Key Vault, not in code
- β Access control: Use Azure RBAC to control who can access secrets
- β Audit trail: Key Vault logs all secret access
- β Automatic rotation: Update secrets without changing code
- CLI Reference - Complete command and flag reference
- Security Review - Security analysis and best practices
- Threat Model - Security threat analysis
git clone https://github.com/jongio/azd-exec.git
cd azd-exec/cli
chmod +x build.sh
./build.shBinary created in cli/bin/exec.
- Go 1.25.5 or later
- golangci-lint
- Node.js 20+ (for cspell)
# Build
cd cli && ./build.sh
# Test - Run all tests (unit, integration, e2e)
pnpm test
# Test - Individual test suites
pnpm test:cli:unit # CLI unit tests only
pnpm test:cli:integration # CLI integration tests only
pnpm test:web # Web e2e tests only
# Lint
cd cli && golangci-lint run
# Spell check
npm install -g cspell
cspell "**/*.{go,md,yaml,yml}" --config cspell.json
# Security scan
go install github.com/securego/gosec/v2/cmd/gosec@latest
cd cli && gosec ./...For detailed testing information, see TESTING.md.
GitHub Actions workflows:
- CI: Linting, spell checking, tests (Linux/Windows/macOS), security scanning, coverage
- CodeQL: Security analysis on push to main and weekly
- Release: Automated releases with multi-platform binaries
Contributions welcome! See CONTRIBUTING.md for guidelines.
- Fork the repository
- Create feature branch:
git checkout -b feature/amazing-feature - Commit changes:
git commit -m 'Add amazing feature' - Push to branch:
git push origin feature/amazing-feature - Open a Pull Request
Ensure: tests pass, code linted, documentation updated, security scans pass.
MIT License - see LICENSE file for details.
Latest: View releases
Automated Release (Recommended)
- Go to Actions β Release workflow
- Click Run workflow
- Choose bump type: patch (bug fixes), minor (features), major (breaking changes)
- Click Run workflow
Workflow automatically: calculates version, updates files, builds binaries, creates release, updates registry.
Manual Release (Testing)
# Install tooling
azd extension install microsoft.azd.extensions
# Build & package
cd cli
export extension_id="jongio.azd.exec"
export extension_version="0.1.0"
azd x build --all
azd x pack
# Create release
azd x release --repo "jongio/azd-exec" --version "0.1.0" --draft
azd x publish --registry ../registry.json --version "0.1.0"- Azure Developer CLI - Core azd tool
- azd-app - Run Azure apps locally
Note: Legacy invocation azd script is supported as an alias to azd exec for backwards compatibility.
Built with β€οΈ for Azure developers