Run commands with environment variables resolved from Azure Key Vault

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for merlos from gravatar.com merlos

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: MIT License (MIT)
  • Author: kvenv contributors
  • Tags azure , keyvault , env , environment , secrets
  • Requires: Python >=3.9
  • Provides-Extra: dev
Classifiers
Report project as malware

Project description

kvenv - Secure .env while vibe coding with Azure Key Vault

kvenv is a command-line tool to securely manage environment variables by fetching secrets from Azure Key Vault based on references in a .env file.

Avoid storing sensitive information in .env files by referencing secrets stored securely in Azure Key Vault. kvenv reads a .env file, fetches secrets from Key Vault as needed, and runs the specified command with those environment variables set.

This avoids secret leakage while vibe coding and prevents LLMs from seeing sensitive secrets in your local development environment while still using environment variables in your applications or scripts.

It is inspired in 1password's op run command for securely injecting secrets into environment variables.

Installation

pip install kvenv

Usage

Create a .env file referencing your Key Vault secrets:

# .env
# Explicitly specify vault
DATABASE_URL=kv://my-key-vault/DATABASE-URL
API_KEY=kv://my-key-vault/API-KEY
# Use default vault from KEYVAULT env var or with -v 
TOKEN_ID=kv://TOKEN-ID
DEBUG=true

Then prepend the kvenv command to your usual command:

# Uses .env and default vault from KEYVAULT environment variable
KEYVAULT=my-kv kvenv -- npm run dev

# You can specify a different .env file name or a default vault
kvenv -e .env.ref -v my-kv -- npm run dev

# --env-file or -e : specify .env file (default: .env)


# Python example 
kvenv -- python app.py

# Rails example
kvenv -- rails server

# Per-secret vault override inside file
# DATABASE_URL=kv://some-kv/DATABASE-URL

Supported .env File Format

  • Lines: KEY=VALUE
  • Comments: lines starting with # (optionally preceded by whitespace)
  • Blank lines allowed
  • Optional leading export supported
  • Quoted values supported: "..." or '...'
  • VALUE may contain =

Key Vault References

# Use default vault (via KEYVAULT env var or -v flag)
DATABASE_URL=kv://DATABASE-URL

# Specify vault explicitly
API_KEY=kv://my-other-vault/API-KEY

# Non kv:// values are passed through unchanged
DEBUG=true

Requirements

  • Azure CLI installed (az)
  • You are authenticated: az login
  • Access to Key Vault secrets (get permission)

Development

Clone the Repository

git clone https://github.com/merlos/kvenv.git
cd kvenv

Install in Development Mode

# Install package in editable mode with dev dependencies
pip install -e ".[dev]"

Run Tests

# Run all tests
pytest

# Run with verbose output
pytest -v

# Run with coverage
pytest --cov=kvenv --cov-report=term-missing

Testing the CLI

After installing in development mode, you can test the kvenv command directly:

# Create a test .env file
echo "FOO=bar" > test.env

# Run a command with the environment
kvenv -e test.env -- env | grep FOO

License

Distributed under MIT License Copyright (c) 2026 @merlos

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for merlos from gravatar.com merlos

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: MIT License (MIT)
  • Author: kvenv contributors
  • Tags azure , keyvault , env , environment , secrets
  • Requires: Python >=3.9
  • Provides-Extra: dev
Classifiers

Release history Release notifications | RSS feed

This version

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

kvenv-0.1.0.tar.gz (11.4 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

kvenv-0.1.0-py3-none-any.whl (9.8 kB view details)

Uploaded Python 3

File details

Details for the file kvenv-0.1.0.tar.gz.

File metadata

  • Download URL: kvenv-0.1.0.tar.gz
  • Upload date:
  • Size: 11.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for kvenv-0.1.0.tar.gz
Algorithm Hash digest
SHA256 ee13394c5675b0011d9dceb4681b934baf909deca481d96a8f588f8a83e681ea
MD5 c7b23e113261bc6d42e40fcee8c5b0f1
BLAKE2b-256 6df6bcd9393a3381f5b7f1ebd4c5cfd11f7d16c34e7760a81653e42178755f3e

See more details on using hashes here.

Provenance

The following attestation bundles were made for kvenv-0.1.0.tar.gz:

Publisher: publish.yml on merlos/kvenv

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file kvenv-0.1.0-py3-none-any.whl.

File metadata

  • Download URL: kvenv-0.1.0-py3-none-any.whl
  • Upload date:
  • Size: 9.8 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for kvenv-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 96925deb74c010f87147d0a67dfc676f58dd0058406b07147e6508f342a8de86
MD5 1c1c2da6726c0e41c8b7721e767da5a7
BLAKE2b-256 6cce5384202046e50a5049e0cb22737274d46d1ab8a26c597333f37dcd10fc26

See more details on using hashes here.

Provenance

The following attestation bundles were made for kvenv-0.1.0-py3-none-any.whl:

Publisher: publish.yml on merlos/kvenv

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page