az-loadenv is a command-line tool designed to streamline the process of exporting application settings from an Azure App Service web app into a .env file for local development. It automatically resolves any references to secrets stored in Azure Key Vault, ensuring that developers can work with real values without compromising security.
Key Features:
Automatic Key Vault Resolution: Detects and resolves @Microsoft.KeyVault references to their actual secret values.
Concurrent Secret Fetching: Resolves up to 10 Key Vault secrets simultaneously for faster execution.
Atomic Writes: Ensures the output file is written in full or not at all, preventing partial data.
Secure Permissions: Creates the .env file with restricted permissions (0600) for enhanced security.
Smart Quoting and Escaping: Automatically formats values containing spaces, quotes, or special characters.
Deterministic Output: Sorts settings alphabetically to maintain consistent diffs.
Audience & Benefit:
Ideal for developers and DevOps engineers working with Azure App Services who need to set up local development environments quickly. By automating the export of application settings, az-loadenv reduces manual effort and minimizes errors associated with handling sensitive data or complex configurations. It also supports secure authentication methods, ensuring seamless integration into CI/CD pipelines.
The tool can be installed via winget for easy setup on Windows systems.
README
az-loadenv
Export Azure Web App settings to a .env file with automatic Key Vault secret resolution.
az-loadenv fetches application settings from an Azure App Service web app, resolves any @Microsoft.KeyVault(SecretUri=...) references to their actual secret values, and writes everything to a .env file ready for local development.
Features
Key Vault resolution — automatically detects and resolves Key Vault references to plaintext values
Concurrent secret fetching — resolves up to 10 Key Vault secrets in parallel
Atomic writes — output is written to a temp file then renamed, so the .env file is never left in a partial state
Secure defaults — output file is created with 0600 permissions (owner read/write only)
Smart quoting — values with spaces, quotes, newlines, or shell metacharacters are automatically double-quoted and escaped
Deterministic output — settings are sorted alphabetically by key for clean diffs
Auto subscription detection — picks up the active subscription from AZURE_SUBSCRIPTION_ID or ~/.azure/azureProfile.json
Cross-platform — pre-built binaries for Linux, macOS, and Windows
Quick install
Homebrew (macOS / Linux):
brew tap curiousdev/tap
brew install az-loadenv-cli
# Example: macOS Apple Silicon
curl -L https://github.com/curiousdev/az-loadenv/releases/latest/download/az-loadenv-darwin-arm64.tar.gz | tar xz
sudo mv az-loadenv /usr/local/bin/
Build from source
Requires Go 1.25+:
go install github.com/curiousdev/az-loadenv@latest
Usage
az-loadenv --app --rg [flags]
Flags
Flag
Description
Default
--app
Azure Web App name
(required)
--rg
Resource group name
(required)
-o
Output file path
.env
--raw
Write values without quoting or escaping
false
--version
Print version and exit
Examples
# Write settings to .env (default)
az-loadenv --app my-api --rg my-resource-group
# Write settings to a custom file
az-loadenv --app my-api --rg my-resource-group -o .env.local
# Use with a specific subscription
AZURE_SUBSCRIPTION_ID=xxx az-loadenv --app my-api --rg my-resource-group
# Use with a service principal (CI/CD)
export AZURE_TENANT_ID=xxx AZURE_CLIENT_ID=xxx AZURE_CLIENT_SECRET=xxx
az-loadenv --app my-api --rg my-resource-group
Output format
Settings are written as KEY=VALUE, one per line, sorted alphabetically:
The authenticating identity must have Get permission on secrets in the referenced vault(s). Both versioned and unversioned secret URIs are supported, and secrets can span multiple vaults.
If a secret fails to resolve, az-loadenv logs the error to stderr and writes the original Key Vault reference to the output file so other settings are not blocked.
Security considerations
The output .env file is created with 0600 permissions (owner read/write only)
Writes are atomic (temp file + rename) to prevent partial reads
Secret values are never printed to stderr — only setting names are logged
Add .env to your .gitignore to avoid committing secrets
Building
# Development build
go build -o az-loadenv .
# Production build with version info
go build -trimpath -ldflags="-s -w -X main.version=1.0.0 -X main.build=1" -o az-loadenv .