Azure · jongio · Mar 31, 2026 · Mar 8, 2026 · Mar 9, 2026 · Mar 9, 2026
@@ -85,6 +85,8 @@ words:
   - yarnpkg
   - azconfig
   - hostnames
+  - managedhsm
+  - microsoftazure
   - seekable
   - seekability
   - APFS
@@ -108,7 +110,10 @@ words:
   - preconfigured
   - Println
   - sctx
+  - secretname
+  - secretversion
   - TTLs
+  - vaultname
 languageSettings:
   - languageId: go
     ignoreRegExpList:

@@ -19,6 +19,7 @@ import (
 	"github.com/azure/azure-dev/cli/azd/pkg/exec"
 	"github.com/azure/azure-dev/cli/azd/pkg/extensions"
 	"github.com/azure/azure-dev/cli/azd/pkg/input"
+	kv "github.com/azure/azure-dev/cli/azd/pkg/keyvault"
 	"github.com/azure/azure-dev/cli/azd/pkg/lazy"
 	"github.com/azure/azure-dev/cli/azd/pkg/output/ux"
 	pkgux "github.com/azure/azure-dev/cli/azd/pkg/ux"
@@ -119,6 +120,7 @@ type extensionAction struct {
 	extensionManager *extensions.Manager
 	azdServer        *grpcserver.Server
 	globalOptions    *internal.GlobalCommandOptions
+	kvService        kv.KeyVaultService
 	cmd              *cobra.Command
 	args             []string
 }
@@ -132,6 +134,7 @@ func newExtensionAction(
 	cmd *cobra.Command,
 	azdServer *grpcserver.Server,
 	globalOptions *internal.GlobalCommandOptions,
+	kvService kv.KeyVaultService,
 	args []string,
 ) actions.Action {
 	return &extensionAction{
@@ -141,6 +144,7 @@ func newExtensionAction(
 		extensionManager: extensionManager,
 		azdServer:        azdServer,
 		globalOptions:    globalOptions,
+		kvService:        kvService,
 		cmd:              cmd,
 		args:             args,
 	}
@@ -216,7 +220,18 @@ func (a *extensionAction) Run(ctx context.Context) (*actions.ActionResult, error
 
 	env, err := a.lazyEnv.GetValue()
 	if err == nil && env != nil {
-		allEnv = append(allEnv, env.Environ()...)
+		// Resolve Key Vault secret references only in azd-managed environment
+		// variables (akvs:// and @Microsoft.KeyVault formats). System env vars
+		// from os.Environ() are NOT processed — only the azd environment's
+		// variables may contain KV references.
+		azdEnvVars := env.Environ()
+		subId := env.Getenv("AZURE_SUBSCRIPTION_ID")
+		azdEnvVars, kvErr := kv.ResolveSecretEnvironment(ctx, a.kvService, azdEnvVars, subId)
+		if kvErr != nil {
+			log.Printf("warning: %v", kvErr)
+		}
+
+		allEnv = append(allEnv, azdEnvVars...)
 	}
 
 	serverInfo, err := a.azdServer.Start()