Skip to content

[KeyVault] az keyvault secret copy: Add command to copy secrets between vaults#32751

Open
jcassanji-southworks wants to merge 38 commits intoAzure:devfrom
jcassanji-southworks:jcassanji-southworks/feature-keyvault-copy
Open

[KeyVault] az keyvault secret copy: Add command to copy secrets between vaults#32751
jcassanji-southworks wants to merge 38 commits intoAzure:devfrom
jcassanji-southworks:jcassanji-southworks/feature-keyvault-copy

Conversation

@jcassanji-southworks
Copy link
Contributor

@jcassanji-southworks jcassanji-southworks commented Feb 5, 2026

Related command
az keyvault secret copy

Description
This PR introduces a new command az keyvault secret copy to simplify the process of copying secrets from one Key Vault to another. It supports copying individual secrets or all secrets in bulk, with options to control overwrite behavior and preserve metadata.

Motivation and Benefits
Currently, users needing to migrate or replicate secrets between Key Vaults (e.g., promoting from Dev to Prod, or replicating for DR) must write complex scripts. This new command standardizes this workflow into a single CLI operation.

  • Productivity: Reduces multi-step scripting to a single command.
  • Accuracy: Ensures all metadata (tags, content-type) is preserved.
  • Safety: Built-in protection against accidental overwrites and automatic filtering of Azure-managed secrets.

Implementation Details

  • Registered copy command under keyvault secret group.
  • Implemented core logic using azure-keyvault-secrets track2 SDK.
  • Added comprehensive unit tests covering single copy, bulk copy, overwrite protection, and metadata preservation.

Testing Guide

  1. Copy a single secret:

    az keyvault secret copy --source-vault <SourceKV> --destination-vault <DestKV> --name <SecretName>

  2. Copy all secrets:

    az keyvault secret copy --source-vault <SourceKV> --destination-vault <DestKV> --all

  3. Force copy (overwrite existing):

    az keyvault secret copy --source-vault <SourceKV> --destination-vault <DestKV> --name <SecretName> --overwrite

History Notes
[KeyVault] az keyvault secret copy: Add new command to copy secrets between Key Vaults

This checklist is used to make sure that common guidelines for a pull request are followed.

jcassanji-southworks and others added 24 commits February 4, 2026 19:24
@jcassanji-southworks
feat: Add keyvault copy command
1ce27f1
@jcassanji-southworks
keyvault secret copy command improvements
2e41392
@jcassanji-southworks
Move test case to file
ec4d378
@jcassanji-southworks
Apply PR feedbacks
fe468ec
@jcassanji-southworks
Update src/azure-cli/azure/cli/command_modules/keyvault/tests/latest/…
ad02119 
…test_keyvault_commands.py

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@jcassanji-southworks
Update src/azure-cli/azure/cli/command_modules/keyvault/custom.py
0b8e4cc 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@jcassanji-southworks
Update src/azure-cli/azure/cli/command_modules/keyvault/custom.py
e90b9bd 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@jcassanji-southworks
Update src/azure-cli/azure/cli/command_modules/keyvault/tests/latest/…
e9722b8 
…test_keyvault_commands.py

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@jcassanji-southworks
Update src/azure-cli/azure/cli/command_modules/keyvault/_params.py
90c664f 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@jcassanji-southworks
Apply PR feedback
a140d6c
@jcassanji-southworks
Merge branch 'jcassanji-southworks/feature-keyvault-copy' of https://…
c44cf06 
…github.com/jcassanji-southworks/azure-cli into jcassanji-southworks/feature-keyvault-copy
@jcassanji-southworks
Update src/azure-cli/azure/cli/command_modules/keyvault/_params.py
de2f265 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@jcassanji-southworks
Update src/azure-cli/azure/cli/command_modules/keyvault/custom.py
4fc1c56 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@jcassanji-southworks
Update src/azure-cli/azure/cli/command_modules/keyvault/custom.py
429bfcc 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@jcassanji-southworks
Update src/azure-cli/azure/cli/command_modules/keyvault/custom.py
9b3b669 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@jcassanji-southworks
Enhance keyvault secret copy command: update overwrite flag to store_…
69e3d2c 
…true and add test for default behavior
@jcassanji-southworks
Merge branch 'jcassanji-southworks/feature-keyvault-copy' of https://…
f241f0a 
…github.com/jcassanji-southworks/azure-cli into jcassanji-southworks/feature-keyvault-copy
@jcassanji-southworks
Fix copy_secret function: remove http_logging_policy from client kwar…
8b11ea1 
…gs and update dummy secret validation call
@jcassanji-southworks
Implement secret copying functionality: add _copy_single_secret funct…
3376e7d 
…ion and refactor copy_secret to utilize it
@jcassanji-southworks
Add unit tests for keyvault secret copying functionality
56bf92a
@jcassanji-southworks
Merge remote-tracking branch 'upstream/dev' into jcassanji-southworks…
41ad995 
…/feature-keyvault-copy
@jcassanji-southworks
Update KeyVault preparation to disable RBAC authorization for copy tests
e3e8f0e
@jcassanji-southworks
Add User-Agent filter to prevent recording mismatch in KeyVault copy …
398c73a 
…tests
@jcassanji-southworks
Fix unused import in keyvault custom.py
2a79899
Copilot AI review requested due to automatic review settings February 5, 2026 22:05
@azure-client-tools-bot-prd
Copy link

azure-client-tools-bot-prd bot commented Feb 5, 2026
edited
Loading

❌AzureCLI-FullTest
️✔️acr
️✔️latest
️✔️3.12
️✔️3.13
️✔️acs
️✔️latest
️✔️3.12
️✔️3.13
️✔️advisor
️✔️latest
️✔️3.12
️✔️3.13
️✔️ams
️✔️latest
️✔️3.12
️✔️3.13
️✔️apim
️✔️latest
️✔️3.12
️✔️3.13
️✔️appconfig
️✔️latest
️✔️3.12
️✔️3.13
️✔️appservice
️✔️latest
️✔️3.12
️✔️3.13
️✔️aro
️✔️latest
️✔️3.12
️✔️3.13
️✔️backup
️✔️latest
️✔️3.12
️✔️3.13
️✔️batch
️✔️latest
️✔️3.12
️✔️3.13
️✔️batchai
️✔️latest
️✔️3.12
️✔️3.13
️✔️billing
️✔️latest
️✔️3.12
️✔️3.13
️✔️botservice
️✔️latest
️✔️3.12
️✔️3.13
️✔️cdn
️✔️latest
️✔️3.12
️✔️3.13
️✔️cloud
️✔️latest
️✔️3.12
️✔️3.13
️✔️cognitiveservices
️✔️latest
️✔️3.12
️✔️3.13
️✔️compute_recommender
️✔️latest
️✔️3.12
️✔️3.13
️✔️computefleet
️✔️latest
️✔️3.12
️✔️3.13
️✔️config
️✔️latest
️✔️3.12
️✔️3.13
️✔️configure
️✔️latest
️✔️3.12
️✔️3.13
️✔️consumption
️✔️latest
️✔️3.12
️✔️3.13
️✔️container
️✔️latest
️✔️3.12
️✔️3.13
️✔️containerapp
️✔️latest
️✔️3.12
️✔️3.13
️✔️core
️✔️latest
️✔️3.12
️✔️3.13
️✔️cosmosdb
️✔️latest
️✔️3.12
️✔️3.13
️✔️databoxedge
️✔️latest
️✔️3.12
️✔️3.13
️✔️dls
️✔️latest
️✔️3.12
️✔️3.13
️✔️dms
️✔️latest
️✔️3.12
️✔️3.13
️✔️eventgrid
️✔️latest
️✔️3.12
️✔️3.13
️✔️eventhubs
️✔️latest
️✔️3.12
️✔️3.13
️✔️feedback
️✔️latest
️✔️3.12
️✔️3.13
️✔️find
️✔️latest
️✔️3.12
️✔️3.13
️✔️hdinsight
️✔️latest
️✔️3.12
️✔️3.13
️✔️identity
️✔️latest
️✔️3.12
️✔️3.13
️✔️iot
️✔️latest
️✔️3.12
️✔️3.13
❌keyvault
❌latest
❌3.12
Type Test Case Error Message Line
Failed test_keyvault_secret_copy_all self = <azure.cli.testsdk.base.ExecutionResult object at 0x7f764e170110>
cli_ctx = <azure.cli.core.mock.DummyCli object at 0x7f764fb71ca0>
command = 'group create --location eastus2 --name cli_test_kv_secret_copy5qgywe6wyyclkyjfqykjl4yavlqg65n455rnrffmi6ytnoqhcl5x --tag product=azurecli cause=automation test date=2026-03-06T01:18:59Z test=test_keyvault_secret_copy_all module=keyvault'
expect_failure = False

    def in_process_execute(self, cli_ctx, command, expect_failure=False):
        from io import StringIO
        from vcr.errors import CannotOverwriteExistingCassetteException
    
        if command.startswith('az '):
            command = command[3:]
    
        stdout_buf = StringIO()
        logging_buf = StringIO()
        try:
            # issue: stderr cannot be redirect in this form, as a result some failure information
            # is lost when command fails.
>           self.exit_code = cli_ctx.invoke(shlex.split(command), out_file=stdout_buf) or 0
                             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

src/azure-cli-testsdk/azure/cli/testsdk/base.py:303: 
                                        
env/lib/python3.12/site-packages/knack/cli.py:245: in invoke
    exit_code = self.exception_handler(ex)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/init.py:141: in exception_handler
    return handle_exception(ex)
           ^^^^^^^^^^^^^^^^^^^^
                                        

ex = CLIError("Please run 'az login' to setup account."), args = (), kwargs = {}

    def handle_main_exception(ex, *args, **kwargs):  # pylint: disable=unused-argument
        if isinstance(ex, CannotOverwriteExistingCassetteException):
            # This exception usually caused by a no match HTTP request. This is a product error
            # that is caused by change of SDK invocation.
            raise ex
    
>       raise CliExecutionError(ex)
E       azure.cli.testsdk.exceptions.CliExecutionError: The CLI throws exception CLIError during execution and fails the command.

src/azure-cli-testsdk/azure/cli/testsdk/patches.py:35: CliExecutionError

During handling of the above exception, another exception occurred:
src/azure-cli-testsdk/azure/cli/testsdk/scenario_tests/decorators.py:40: in preparer_wrapper
    fn(test_class_instance, **kwargs)
src/azure-cli-testsdk/azure/cli/testsdk/scenario_tests/preparers.py:39: in preparer_wrapper
    parameter_update = self.create_resource(
src/azure-cli-testsdk/azure/cli/testsdk/preparers.py:99: in create_resource
    self.live_only_execute(self.cli_ctx, template.format(self.location, name))
src/azure-cli-testsdk/azure/cli/testsdk/preparers.py:39: in live_only_execute
    return self.raw_execute(cli_ctx, command, expect_failure)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-testsdk/azure/cli/testsdk/base.py:252: in init
    self.in_process_execute(cli_ctx, command, expect_failure=expect_failure)
src/azure-cli-testsdk/azure/cli/testsdk/base.py:315: in in_process_execute
    raise ex.exception
env/lib/python3.12/site-packages/knack/cli.py:233: in invoke
    cmd_result = self.invocation.execute(args)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/init.py:682: in execute
    raise ex
src/azure-cli-core/azure/cli/core/commands/init.py:812: in run_jobs_serially
    results.append(self.run_job(expanded_arg, cmd_copy))
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/init.py:781: in run_job
    result = cmd_copy(params)
             ^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/init.py:336: in call
    return self.handler(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/command_operation.py:120: in handler
    return op(**command_args)
           ^^^^^^^^^^^^^^^^^^
src/azure-cli/azure/cli/command_modules/resource/custom.py:1641: in create_resource_group
    rcf = resource_client_factory(cmd.cli_ctx)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli/azure/cli/command_modules/resource/client_factory.py:10: in resource_client_factory
    return get_mgmt_service_client(cli_ctx, ResourceType.MGMT_RESOURCE_RESOURCES)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/client_factory.py:83: in get_mgmt_service_client
    client,  = get_mgmt_service_client(cli_ctx, client_type, subscription_id=subscription_id,
src/azure-cli-core/azure/cli/core/commands/client_factory.py:234: in get_mgmt_service_client
    credential, subscription_id,  = profile.get_login_credentials(
src/azure-cli-core/azure/cli/core/profile.py:308: in get_login_credentials
    account = self.get_subscription(subscription_id)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
                                        

self = <azure.cli.core._profile.Profile object at 0x7f764d681070>
subscription = None

    def get_subscription(self, subscription=None):  # take id or name
        subscriptions = self.load_cached_subscriptions()
        if not subscriptions:
>           raise CLIError(_AZ_LOGIN_MESSAGE)
E           knack.util.CLIError: Please run 'az login' to setup account.

src/azure-cli-core/azure/cli/core/_profile.py:558: CLIError		 azure/cli/command_modules/keyvault/tests/latest/test_keyvault_commands.py:2834
Failed test_keyvault_secret_copy_default_behavior self = <azure.cli.testsdk.base.ExecutionResult object at 0x7f764e170110>
cli_ctx = <azure.cli.core.mock.DummyCli object at 0x7f764fb790d0>
command = 'group create --location eastus2 --name cli_test_kv_secret_copy6zkhl3z5mhbx77fss45jk2ingnhgnyrkp6nkkxrhcyvsn4ub7u4u --...urecli cause=automation test date=2026-03-06T01:18:59Z test=test_keyvault_secret_copy_default_behavior module=keyvault'
expect_failure = False

    def in_process_execute(self, cli_ctx, command, expect_failure=False):
        from io import StringIO
        from vcr.errors import CannotOverwriteExistingCassetteException
    
        if command.startswith('az '):
            command = command[3:]
    
        stdout_buf = StringIO()
        logging_buf = StringIO()
        try:
            # issue: stderr cannot be redirect in this form, as a result some failure information
            # is lost when command fails.
>           self.exit_code = cli_ctx.invoke(shlex.split(command), out_file=stdout_buf) or 0
                             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

src/azure-cli-testsdk/azure/cli/testsdk/base.py:303: 
                                        
env/lib/python3.12/site-packages/knack/cli.py:245: in invoke
    exit_code = self.exception_handler(ex)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/init.py:141: in exception_handler
    return handle_exception(ex)
           ^^^^^^^^^^^^^^^^^^^^
                                        

ex = CLIError("Please run 'az login' to setup account."), args = (), kwargs = {}

    def handle_main_exception(ex, *args, **kwargs):  # pylint: disable=unused-argument
        if isinstance(ex, CannotOverwriteExistingCassetteException):
            # This exception usually caused by a no match HTTP request. This is a product error
            # that is caused by change of SDK invocation.
            raise ex
    
>       raise CliExecutionError(ex)
E       azure.cli.testsdk.exceptions.CliExecutionError: The CLI throws exception CLIError during execution and fails the command.

src/azure-cli-testsdk/azure/cli/testsdk/patches.py:35: CliExecutionError

During handling of the above exception, another exception occurred:
src/azure-cli-testsdk/azure/cli/testsdk/scenario_tests/decorators.py:40: in preparer_wrapper
    fn(test_class_instance, **kwargs)
src/azure-cli-testsdk/azure/cli/testsdk/scenario_tests/preparers.py:39: in preparer_wrapper
    parameter_update = self.create_resource(
src/azure-cli-testsdk/azure/cli/testsdk/preparers.py:99: in create_resource
    self.live_only_execute(self.cli_ctx, template.format(self.location, name))
src/azure-cli-testsdk/azure/cli/testsdk/preparers.py:39: in live_only_execute
    return self.raw_execute(cli_ctx, command, expect_failure)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-testsdk/azure/cli/testsdk/base.py:252: in init
    self.in_process_execute(cli_ctx, command, expect_failure=expect_failure)
src/azure-cli-testsdk/azure/cli/testsdk/base.py:315: in in_process_execute
    raise ex.exception
env/lib/python3.12/site-packages/knack/cli.py:233: in invoke
    cmd_result = self.invocation.execute(args)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/init.py:682: in execute
    raise ex
src/azure-cli-core/azure/cli/core/commands/init.py:812: in run_jobs_serially
    results.append(self.run_job(expanded_arg, cmd_copy))
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/init.py:781: in run_job
    result = cmd_copy(params)
             ^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/init.py:336: in call
    return self.handler(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/command_operation.py:120: in handler
    return op(**command_args)
           ^^^^^^^^^^^^^^^^^^
src/azure-cli/azure/cli/command_modules/resource/custom.py:1641: in create_resource_group
    rcf = resource_client_factory(cmd.cli_ctx)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli/azure/cli/command_modules/resource/client_factory.py:10: in resource_client_factory
    return get_mgmt_service_client(cli_ctx, ResourceType.MGMT_RESOURCE_RESOURCES)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/client_factory.py:83: in get_mgmt_service_client
    client,  = get_mgmt_service_client(cli_ctx, client_type, subscription_id=subscription_id,
src/azure-cli-core/azure/cli/core/commands/client_factory.py:234: in get_mgmt_service_client
    credential, subscription_id,  = profile.get_login_credentials(
src/azure-cli-core/azure/cli/core/profile.py:308: in get_login_credentials
    account = self.get_subscription(subscription_id)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
                                        

self = <azure.cli.core._profile.Profile object at 0x7f764d997770>
subscription = None

    def get_subscription(self, subscription=None):  # take id or name
        subscriptions = self.load_cached_subscriptions()
        if not subscriptions:
>           raise CLIError(_AZ_LOGIN_MESSAGE)
E           knack.util.CLIError: Please run 'az login' to setup account.

src/azure-cli-core/azure/cli/core/_profile.py:558: CLIError		 azure/cli/command_modules/keyvault/tests/latest/test_keyvault_commands.py:2970
Failed test_keyvault_secret_copy_error_cases self = <azure.cli.testsdk.base.ExecutionResult object at 0x7f764e170110>
cli_ctx = <azure.cli.core.mock.DummyCli object at 0x7f764fb73c50>
command = 'group create --location eastus2 --name cli_test_kv_secret_copyzzxkt6drylt6jcyotk3tpr655u3fllxx4w6knp5jkg7awh7m7byy --...ct=azurecli cause=automation test date=2026-03-06T01:19:00Z test=test_keyvault_secret_copy_error_cases module=keyvault'
expect_failure = False

    def in_process_execute(self, cli_ctx, command, expect_failure=False):
        from io import StringIO
        from vcr.errors import CannotOverwriteExistingCassetteException
    
        if command.startswith('az '):
            command = command[3:]
    
        stdout_buf = StringIO()
        logging_buf = StringIO()
        try:
            # issue: stderr cannot be redirect in this form, as a result some failure information
            # is lost when command fails.
>           self.exit_code = cli_ctx.invoke(shlex.split(command), out_file=stdout_buf) or 0
                             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

src/azure-cli-testsdk/azure/cli/testsdk/base.py:303: 
                                        
env/lib/python3.12/site-packages/knack/cli.py:245: in invoke
    exit_code = self.exception_handler(ex)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/init.py:141: in exception_handler
    return handle_exception(ex)
           ^^^^^^^^^^^^^^^^^^^^
                                        

ex = CLIError("Please run 'az login' to setup account."), args = (), kwargs = {}

    def handle_main_exception(ex, *args, **kwargs):  # pylint: disable=unused-argument
        if isinstance(ex, CannotOverwriteExistingCassetteException):
            # This exception usually caused by a no match HTTP request. This is a product error
            # that is caused by change of SDK invocation.
            raise ex
    
>       raise CliExecutionError(ex)
E       azure.cli.testsdk.exceptions.CliExecutionError: The CLI throws exception CLIError during execution and fails the command.

src/azure-cli-testsdk/azure/cli/testsdk/patches.py:35: CliExecutionError

During handling of the above exception, another exception occurred:
src/azure-cli-testsdk/azure/cli/testsdk/scenario_tests/decorators.py:40: in preparer_wrapper
    fn(test_class_instance, **kwargs)
src/azure-cli-testsdk/azure/cli/testsdk/scenario_tests/preparers.py:39: in preparer_wrapper
    parameter_update = self.create_resource(
src/azure-cli-testsdk/azure/cli/testsdk/preparers.py:99: in create_resource
    self.live_only_execute(self.cli_ctx, template.format(self.location, name))
src/azure-cli-testsdk/azure/cli/testsdk/preparers.py:39: in live_only_execute
    return self.raw_execute(cli_ctx, command, expect_failure)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-testsdk/azure/cli/testsdk/base.py:252: in init
    self.in_process_execute(cli_ctx, command, expect_failure=expect_failure)
src/azure-cli-testsdk/azure/cli/testsdk/base.py:315: in in_process_execute
    raise ex.exception
env/lib/python3.12/site-packages/knack/cli.py:233: in invoke
    cmd_result = self.invocation.execute(args)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/init.py:682: in execute
    raise ex
src/azure-cli-core/azure/cli/core/commands/init.py:812: in run_jobs_serially
    results.append(self.run_job(expanded_arg, cmd_copy))
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/init.py:781: in run_job
    result = cmd_copy(params)
             ^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/init.py:336: in call
    return self.handler(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/command_operation.py:120: in handler
    return op(**command_args)
           ^^^^^^^^^^^^^^^^^^
src/azure-cli/azure/cli/command_modules/resource/custom.py:1641: in create_resource_group
    rcf = resource_client_factory(cmd.cli_ctx)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli/azure/cli/command_modules/resource/client_factory.py:10: in resource_client_factory
    return get_mgmt_service_client(cli_ctx, ResourceType.MGMT_RESOURCE_RESOURCES)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/client_factory.py:83: in get_mgmt_service_client
    client,  = get_mgmt_service_client(cli_ctx, client_type, subscription_id=subscription_id,
src/azure-cli-core/azure/cli/core/commands/client_factory.py:234: in get_mgmt_service_client
    credential, subscription_id,  = profile.get_login_credentials(
src/azure-cli-core/azure/cli/core/profile.py:308: in get_login_credentials
    account = self.get_subscription(subscription_id)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
                                        

self = <azure.cli.core._profile.Profile object at 0x7f764d82eea0>
subscription = None

    def get_subscription(self, subscription=None):  # take id or name
        subscriptions = self.load_cached_subscriptions()
        if not subscriptions:
>           raise CLIError(_AZ_LOGIN_MESSAGE)
E           knack.util.CLIError: Please run 'az login' to setup account.

src/azure-cli-core/azure/cli/core/_profile.py:558: CLIError		 azure/cli/command_modules/keyvault/tests/latest/test_keyvault_commands.py:2922
Failed test_keyvault_secret_copy_overwrite_behavior self = <azure.cli.testsdk.base.ExecutionResult object at 0x7f764e170110>
cli_ctx = <azure.cli.core.mock.DummyCli object at 0x7f764fb6b200>
command = 'group create --location eastus2 --name cli_test_kv_secret_copylj7qitznuvz72tkldfqpn4gfqj6cbxby3n2jycyu5n7h4ngjlhzs --...ecli cause=automation test date=2026-03-06T01:19:01Z test=test_keyvault_secret_copy_overwrite_behavior module=keyvault'
expect_failure = False

    def in_process_execute(self, cli_ctx, command, expect_failure=False):
        from io import StringIO
        from vcr.errors import CannotOverwriteExistingCassetteException
    
        if command.startswith('az '):
            command = command[3:]
    
        stdout_buf = StringIO()
        logging_buf = StringIO()
        try:
            # issue: stderr cannot be redirect in this form, as a result some failure information
            # is lost when command fails.
>           self.exit_code = cli_ctx.invoke(shlex.split(command), out_file=stdout_buf) or 0
                             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

src/azure-cli-testsdk/azure/cli/testsdk/base.py:303: 
                                        
env/lib/python3.12/site-packages/knack/cli.py:245: in invoke
    exit_code = self.exception_handler(ex)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/init.py:141: in exception_handler
    return handle_exception(ex)
           ^^^^^^^^^^^^^^^^^^^^
                                        

ex = CLIError("Please run 'az login' to setup account."), args = (), kwargs = {}

    def handle_main_exception(ex, *args, **kwargs):  # pylint: disable=unused-argument
        if isinstance(ex, CannotOverwriteExistingCassetteException):
            # This exception usually caused by a no match HTTP request. This is a product error
            # that is caused by change of SDK invocation.
            raise ex
    
>       raise CliExecutionError(ex)
E       azure.cli.testsdk.exceptions.CliExecutionError: The CLI throws exception CLIError during execution and fails the command.

src/azure-cli-testsdk/azure/cli/testsdk/patches.py:35: CliExecutionError

During handling of the above exception, another exception occurred:
src/azure-cli-testsdk/azure/cli/testsdk/scenario_tests/decorators.py:40: in preparer_wrapper
    fn(test_class_instance, **kwargs)
src/azure-cli-testsdk/azure/cli/testsdk/scenario_tests/preparers.py:39: in preparer_wrapper
    parameter_update = self.create_resource(
src/azure-cli-testsdk/azure/cli/testsdk/preparers.py:99: in create_resource
    self.live_only_execute(self.cli_ctx, template.format(self.location, name))
src/azure-cli-testsdk/azure/cli/testsdk/preparers.py:39: in live_only_execute
    return self.raw_execute(cli_ctx, command, expect_failure)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-testsdk/azure/cli/testsdk/base.py:252: in init
    self.in_process_execute(cli_ctx, command, expect_failure=expect_failure)
src/azure-cli-testsdk/azure/cli/testsdk/base.py:315: in in_process_execute
    raise ex.exception
env/lib/python3.12/site-packages/knack/cli.py:233: in invoke
    cmd_result = self.invocation.execute(args)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/init.py:682: in execute
    raise ex
src/azure-cli-core/azure/cli/core/commands/init.py:812: in run_jobs_serially
    results.append(self.run_job(expanded_arg, cmd_copy))
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/init.py:781: in run_job
    result = cmd_copy(params)
             ^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/init.py:336: in call
    return self.handler(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/command_operation.py:120: in handler
    return op(**command_args)
           ^^^^^^^^^^^^^^^^^^
src/azure-cli/azure/cli/command_modules/resource/custom.py:1641: in create_resource_group
    rcf = resource_client_factory(cmd.cli_ctx)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli/azure/cli/command_modules/resource/client_factory.py:10: in resource_client_factory
    return get_mgmt_service_client(cli_ctx, ResourceType.MGMT_RESOURCE_RESOURCES)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/client_factory.py:83: in get_mgmt_service_client
    client,  = get_mgmt_service_client(cli_ctx, client_type, subscription_id=subscription_id,
src/azure-cli-core/azure/cli/core/commands/client_factory.py:234: in get_mgmt_service_client
    credential, subscription_id,  = profile.get_login_credentials(
src/azure-cli-core/azure/cli/core/profile.py:308: in get_login_credentials
    account = self.get_subscription(subscription_id)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
                                        

self = <azure.cli.core._profile.Profile object at 0x7f764d763470>
subscription = None

    def get_subscription(self, subscription=None):  # take id or name
        subscriptions = self.load_cached_subscriptions()
        if not subscriptions:
>           raise CLIError(_AZ_LOGIN_MESSAGE)
E           knack.util.CLIError: Please run 'az login' to setup account.

src/azure-cli-core/azure/cli/core/_profile.py:558: CLIError		 azure/cli/command_modules/keyvault/tests/latest/test_keyvault_commands.py:2877
Failed test_keyvault_secret_copy_single The error message is too long, please check the pipeline log for details. azure/cli/command_modules/keyvault/tests/latest/test_keyvault_commands.py:2788
❌3.13
Type Test Case Error Message Line
Failed test_keyvault_secret_copy_all self = <azure.cli.testsdk.base.ExecutionResult object at 0x7f761a970ec0>
cli_ctx = <azure.cli.core.mock.DummyCli object at 0x7f76201a0a50>
command = 'group create --location eastus2 --name cli_test_kv_secret_copyasinkp5mcpiwjsdzpys7qiumjsxgdsg6auw7pgdjdh6v2uo4alsr --tag product=azurecli cause=automation test date=2026-03-06T01:18:20Z test=test_keyvault_secret_copy_all module=keyvault'
expect_failure = False

    def in_process_execute(self, cli_ctx, command, expect_failure=False):
        from io import StringIO
        from vcr.errors import CannotOverwriteExistingCassetteException
    
        if command.startswith('az '):
            command = command[3:]
    
        stdout_buf = StringIO()
        logging_buf = StringIO()
        try:
            # issue: stderr cannot be redirect in this form, as a result some failure information
            # is lost when command fails.
>           self.exit_code = cli_ctx.invoke(shlex.split(command), out_file=stdout_buf) or 0
                             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

src/azure-cli-testsdk/azure/cli/testsdk/base.py:303: 
                                        
env/lib/python3.13/site-packages/knack/cli.py:245: in invoke
    exit_code = self.exception_handler(ex)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/init.py:141: in exception_handler
    return handle_exception(ex)
           ^^^^^^^^^^^^^^^^^^^^
                                        

ex = CLIError("Please run 'az login' to setup account."), args = (), kwargs = {}

    def handle_main_exception(ex, *args, **kwargs):  # pylint: disable=unused-argument
        if isinstance(ex, CannotOverwriteExistingCassetteException):
            # This exception usually caused by a no match HTTP request. This is a product error
            # that is caused by change of SDK invocation.
            raise ex
    
>       raise CliExecutionError(ex)
E       azure.cli.testsdk.exceptions.CliExecutionError: The CLI throws exception CLIError during execution and fails the command.

src/azure-cli-testsdk/azure/cli/testsdk/patches.py:35: CliExecutionError

During handling of the above exception, another exception occurred:
src/azure-cli-testsdk/azure/cli/testsdk/scenario_tests/decorators.py:40: in preparer_wrapper
    fn(test_class_instance, **kwargs)
src/azure-cli-testsdk/azure/cli/testsdk/scenario_tests/preparers.py:39: in preparer_wrapper
    parameter_update = self.create_resource(
src/azure-cli-testsdk/azure/cli/testsdk/preparers.py:99: in create_resource
    self.live_only_execute(self.cli_ctx, template.format(self.location, name))
src/azure-cli-testsdk/azure/cli/testsdk/preparers.py:39: in live_only_execute
    return self.raw_execute(cli_ctx, command, expect_failure)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-testsdk/azure/cli/testsdk/base.py:252: in init
    self.in_process_execute(cli_ctx, command, expect_failure=expect_failure)
src/azure-cli-testsdk/azure/cli/testsdk/base.py:315: in in_process_execute
    raise ex.exception
env/lib/python3.13/site-packages/knack/cli.py:233: in invoke
    cmd_result = self.invocation.execute(args)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/init.py:682: in execute
    raise ex
src/azure-cli-core/azure/cli/core/commands/init.py:812: in run_jobs_serially
    results.append(self.run_job(expanded_arg, cmd_copy))
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/init.py:781: in run_job
    result = cmd_copy(params)
             ^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/init.py:336: in call
    return self.handler(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/command_operation.py:120: in handler
    return op(**command_args)
           ^^^^^^^^^^^^^^^^^^
src/azure-cli/azure/cli/command_modules/resource/custom.py:1641: in create_resource_group
    rcf = resource_client_factory(cmd.cli_ctx)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli/azure/cli/command_modules/resource/client_factory.py:10: in resource_client_factory
    return get_mgmt_service_client(cli_ctx, ResourceType.MGMT_RESOURCE_RESOURCES)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/client_factory.py:83: in get_mgmt_service_client
    client,  = get_mgmt_service_client(cli_ctx, client_type, subscription_id=subscription_id,
src/azure-cli-core/azure/cli/core/commands/client_factory.py:234: in get_mgmt_service_client
    credential, subscription_id,  = profile.get_login_credentials(
src/azure-cli-core/azure/cli/core/profile.py:308: in get_login_credentials
    account = self.get_subscription(subscription_id)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
                                        

self = <azure.cli.core._profile.Profile object at 0x7f7622997380>
subscription = None

    def get_subscription(self, subscription=None):  # take id or name
        subscriptions = self.load_cached_subscriptions()
        if not subscriptions:
>           raise CLIError(_AZ_LOGIN_MESSAGE)
E           knack.util.CLIError: Please run 'az login' to setup account.

src/azure-cli-core/azure/cli/core/_profile.py:558: CLIError		 azure/cli/command_modules/keyvault/tests/latest/test_keyvault_commands.py:2834
Failed test_keyvault_secret_copy_default_behavior self = <azure.cli.testsdk.base.ExecutionResult object at 0x7f761a970ec0>
cli_ctx = <azure.cli.core.mock.DummyCli object at 0x7f76201a2850>
command = 'group create --location eastus2 --name cli_test_kv_secret_copywsu3umhisou7tbzrgzm7o44uvhfhdpr37c3hgx7y5qyjebxmeqrl --...urecli cause=automation test date=2026-03-06T01:18:21Z test=test_keyvault_secret_copy_default_behavior module=keyvault'
expect_failure = False

    def in_process_execute(self, cli_ctx, command, expect_failure=False):
        from io import StringIO
        from vcr.errors import CannotOverwriteExistingCassetteException
    
        if command.startswith('az '):
            command = command[3:]
    
        stdout_buf = StringIO()
        logging_buf = StringIO()
        try:
            # issue: stderr cannot be redirect in this form, as a result some failure information
            # is lost when command fails.
>           self.exit_code = cli_ctx.invoke(shlex.split(command), out_file=stdout_buf) or 0
                             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

src/azure-cli-testsdk/azure/cli/testsdk/base.py:303: 
                                        
env/lib/python3.13/site-packages/knack/cli.py:245: in invoke
    exit_code = self.exception_handler(ex)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/init.py:141: in exception_handler
    return handle_exception(ex)
           ^^^^^^^^^^^^^^^^^^^^
                                        

ex = CLIError("Please run 'az login' to setup account."), args = (), kwargs = {}

    def handle_main_exception(ex, *args, **kwargs):  # pylint: disable=unused-argument
        if isinstance(ex, CannotOverwriteExistingCassetteException):
            # This exception usually caused by a no match HTTP request. This is a product error
            # that is caused by change of SDK invocation.
            raise ex
    
>       raise CliExecutionError(ex)
E       azure.cli.testsdk.exceptions.CliExecutionError: The CLI throws exception CLIError during execution and fails the command.

src/azure-cli-testsdk/azure/cli/testsdk/patches.py:35: CliExecutionError

During handling of the above exception, another exception occurred:
src/azure-cli-testsdk/azure/cli/testsdk/scenario_tests/decorators.py:40: in preparer_wrapper
    fn(test_class_instance, **kwargs)
src/azure-cli-testsdk/azure/cli/testsdk/scenario_tests/preparers.py:39: in preparer_wrapper
    parameter_update = self.create_resource(
src/azure-cli-testsdk/azure/cli/testsdk/preparers.py:99: in create_resource
    self.live_only_execute(self.cli_ctx, template.format(self.location, name))
src/azure-cli-testsdk/azure/cli/testsdk/preparers.py:39: in live_only_execute
    return self.raw_execute(cli_ctx, command, expect_failure)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-testsdk/azure/cli/testsdk/base.py:252: in init
    self.in_process_execute(cli_ctx, command, expect_failure=expect_failure)
src/azure-cli-testsdk/azure/cli/testsdk/base.py:315: in in_process_execute
    raise ex.exception
env/lib/python3.13/site-packages/knack/cli.py:233: in invoke
    cmd_result = self.invocation.execute(args)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/init.py:682: in execute
    raise ex
src/azure-cli-core/azure/cli/core/commands/init.py:812: in run_jobs_serially
    results.append(self.run_job(expanded_arg, cmd_copy))
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/init.py:781: in run_job
    result = cmd_copy(params)
             ^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/init.py:336: in call
    return self.handler(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/command_operation.py:120: in handler
    return op(**command_args)
           ^^^^^^^^^^^^^^^^^^
src/azure-cli/azure/cli/command_modules/resource/custom.py:1641: in create_resource_group
    rcf = resource_client_factory(cmd.cli_ctx)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli/azure/cli/command_modules/resource/client_factory.py:10: in resource_client_factory
    return get_mgmt_service_client(cli_ctx, ResourceType.MGMT_RESOURCE_RESOURCES)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/client_factory.py:83: in get_mgmt_service_client
    client,  = get_mgmt_service_client(cli_ctx, client_type, subscription_id=subscription_id,
src/azure-cli-core/azure/cli/core/commands/client_factory.py:234: in get_mgmt_service_client
    credential, subscription_id,  = profile.get_login_credentials(
src/azure-cli-core/azure/cli/core/profile.py:308: in get_login_credentials
    account = self.get_subscription(subscription_id)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
                                        

self = <azure.cli.core._profile.Profile object at 0x7f7622997380>
subscription = None

    def get_subscription(self, subscription=None):  # take id or name
        subscriptions = self.load_cached_subscriptions()
        if not subscriptions:
>           raise CLIError(_AZ_LOGIN_MESSAGE)
E           knack.util.CLIError: Please run 'az login' to setup account.

src/azure-cli-core/azure/cli/core/_profile.py:558: CLIError		 azure/cli/command_modules/keyvault/tests/latest/test_keyvault_commands.py:2970
Failed test_keyvault_secret_copy_error_cases self = <azure.cli.testsdk.base.ExecutionResult object at 0x7f761a970ec0>
cli_ctx = <azure.cli.core.mock.DummyCli object at 0x7f76201a0550>
command = 'group create --location eastus2 --name cli_test_kv_secret_copyn6fcnidgf226dpe7sryydu25h2fx3sqzwecqdczs2svjd4rjpkcy --...ct=azurecli cause=automation test date=2026-03-06T01:18:21Z test=test_keyvault_secret_copy_error_cases module=keyvault'
expect_failure = False

    def in_process_execute(self, cli_ctx, command, expect_failure=False):
        from io import StringIO
        from vcr.errors import CannotOverwriteExistingCassetteException
    
        if command.startswith('az '):
            command = command[3:]
    
        stdout_buf = StringIO()
        logging_buf = StringIO()
        try:
            # issue: stderr cannot be redirect in this form, as a result some failure information
            # is lost when command fails.
>           self.exit_code = cli_ctx.invoke(shlex.split(command), out_file=stdout_buf) or 0
                             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

src/azure-cli-testsdk/azure/cli/testsdk/base.py:303: 
                                        
env/lib/python3.13/site-packages/knack/cli.py:245: in invoke
    exit_code = self.exception_handler(ex)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/init.py:141: in exception_handler
    return handle_exception(ex)
           ^^^^^^^^^^^^^^^^^^^^
                                        

ex = CLIError("Please run 'az login' to setup account."), args = (), kwargs = {}

    def handle_main_exception(ex, *args, **kwargs):  # pylint: disable=unused-argument
        if isinstance(ex, CannotOverwriteExistingCassetteException):
            # This exception usually caused by a no match HTTP request. This is a product error
            # that is caused by change of SDK invocation.
            raise ex
    
>       raise CliExecutionError(ex)
E       azure.cli.testsdk.exceptions.CliExecutionError: The CLI throws exception CLIError during execution and fails the command.

src/azure-cli-testsdk/azure/cli/testsdk/patches.py:35: CliExecutionError

During handling of the above exception, another exception occurred:
src/azure-cli-testsdk/azure/cli/testsdk/scenario_tests/decorators.py:40: in preparer_wrapper
    fn(test_class_instance, **kwargs)
src/azure-cli-testsdk/azure/cli/testsdk/scenario_tests/preparers.py:39: in preparer_wrapper
    parameter_update = self.create_resource(
src/azure-cli-testsdk/azure/cli/testsdk/preparers.py:99: in create_resource
    self.live_only_execute(self.cli_ctx, template.format(self.location, name))
src/azure-cli-testsdk/azure/cli/testsdk/preparers.py:39: in live_only_execute
    return self.raw_execute(cli_ctx, command, expect_failure)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-testsdk/azure/cli/testsdk/base.py:252: in init
    self.in_process_execute(cli_ctx, command, expect_failure=expect_failure)
src/azure-cli-testsdk/azure/cli/testsdk/base.py:315: in in_process_execute
    raise ex.exception
env/lib/python3.13/site-packages/knack/cli.py:233: in invoke
    cmd_result = self.invocation.execute(args)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/init.py:682: in execute
    raise ex
src/azure-cli-core/azure/cli/core/commands/init.py:812: in run_jobs_serially
    results.append(self.run_job(expanded_arg, cmd_copy))
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/init.py:781: in run_job
    result = cmd_copy(params)
             ^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/init.py:336: in call
    return self.handler(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/command_operation.py:120: in handler
    return op(**command_args)
           ^^^^^^^^^^^^^^^^^^
src/azure-cli/azure/cli/command_modules/resource/custom.py:1641: in create_resource_group
    rcf = resource_client_factory(cmd.cli_ctx)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli/azure/cli/command_modules/resource/client_factory.py:10: in resource_client_factory
    return get_mgmt_service_client(cli_ctx, ResourceType.MGMT_RESOURCE_RESOURCES)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/client_factory.py:83: in get_mgmt_service_client
    client,  = get_mgmt_service_client(cli_ctx, client_type, subscription_id=subscription_id,
src/azure-cli-core/azure/cli/core/commands/client_factory.py:234: in get_mgmt_service_client
    credential, subscription_id,  = profile.get_login_credentials(
src/azure-cli-core/azure/cli/core/profile.py:308: in get_login_credentials
    account = self.get_subscription(subscription_id)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
                                        

self = <azure.cli.core._profile.Profile object at 0x7f7622997380>
subscription = None

    def get_subscription(self, subscription=None):  # take id or name
        subscriptions = self.load_cached_subscriptions()
        if not subscriptions:
>           raise CLIError(_AZ_LOGIN_MESSAGE)
E           knack.util.CLIError: Please run 'az login' to setup account.

src/azure-cli-core/azure/cli/core/_profile.py:558: CLIError		 azure/cli/command_modules/keyvault/tests/latest/test_keyvault_commands.py:2922
Failed test_keyvault_secret_copy_overwrite_behavior self = <azure.cli.testsdk.base.ExecutionResult object at 0x7f761a970ec0>
cli_ctx = <azure.cli.core.mock.DummyCli object at 0x7f76201a16d0>
command = 'group create --location eastus2 --name cli_test_kv_secret_copyh2yyv6iteg76fhajdc5b6lokgjhhvlwd5vug3l5it55x66cuvsza --...ecli cause=automation test date=2026-03-06T01:18:22Z test=test_keyvault_secret_copy_overwrite_behavior module=keyvault'
expect_failure = False

    def in_process_execute(self, cli_ctx, command, expect_failure=False):
        from io import StringIO
        from vcr.errors import CannotOverwriteExistingCassetteException
    
        if command.startswith('az '):
            command = command[3:]
    
        stdout_buf = StringIO()
        logging_buf = StringIO()
        try:
            # issue: stderr cannot be redirect in this form, as a result some failure information
            # is lost when command fails.
>           self.exit_code = cli_ctx.invoke(shlex.split(command), out_file=stdout_buf) or 0
                             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

src/azure-cli-testsdk/azure/cli/testsdk/base.py:303: 
                                        
env/lib/python3.13/site-packages/knack/cli.py:245: in invoke
    exit_code = self.exception_handler(ex)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/init.py:141: in exception_handler
    return handle_exception(ex)
           ^^^^^^^^^^^^^^^^^^^^
                                        

ex = CLIError("Please run 'az login' to setup account."), args = (), kwargs = {}

    def handle_main_exception(ex, *args, **kwargs):  # pylint: disable=unused-argument
        if isinstance(ex, CannotOverwriteExistingCassetteException):
            # This exception usually caused by a no match HTTP request. This is a product error
            # that is caused by change of SDK invocation.
            raise ex
    
>       raise CliExecutionError(ex)
E       azure.cli.testsdk.exceptions.CliExecutionError: The CLI throws exception CLIError during execution and fails the command.

src/azure-cli-testsdk/azure/cli/testsdk/patches.py:35: CliExecutionError

During handling of the above exception, another exception occurred:
src/azure-cli-testsdk/azure/cli/testsdk/scenario_tests/decorators.py:40: in preparer_wrapper
    fn(test_class_instance, **kwargs)
src/azure-cli-testsdk/azure/cli/testsdk/scenario_tests/preparers.py:39: in preparer_wrapper
    parameter_update = self.create_resource(
src/azure-cli-testsdk/azure/cli/testsdk/preparers.py:99: in create_resource
    self.live_only_execute(self.cli_ctx, template.format(self.location, name))
src/azure-cli-testsdk/azure/cli/testsdk/preparers.py:39: in live_only_execute
    return self.raw_execute(cli_ctx, command, expect_failure)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-testsdk/azure/cli/testsdk/base.py:252: in init
    self.in_process_execute(cli_ctx, command, expect_failure=expect_failure)
src/azure-cli-testsdk/azure/cli/testsdk/base.py:315: in in_process_execute
    raise ex.exception
env/lib/python3.13/site-packages/knack/cli.py:233: in invoke
    cmd_result = self.invocation.execute(args)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/init.py:682: in execute
    raise ex
src/azure-cli-core/azure/cli/core/commands/init.py:812: in run_jobs_serially
    results.append(self.run_job(expanded_arg, cmd_copy))
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/init.py:781: in run_job
    result = cmd_copy(params)
             ^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/init.py:336: in call
    return self.handler(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/command_operation.py:120: in handler
    return op(**command_args)
           ^^^^^^^^^^^^^^^^^^
src/azure-cli/azure/cli/command_modules/resource/custom.py:1641: in create_resource_group
    rcf = resource_client_factory(cmd.cli_ctx)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli/azure/cli/command_modules/resource/client_factory.py:10: in resource_client_factory
    return get_mgmt_service_client(cli_ctx, ResourceType.MGMT_RESOURCE_RESOURCES)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/client_factory.py:83: in get_mgmt_service_client
    client,  = get_mgmt_service_client(cli_ctx, client_type, subscription_id=subscription_id,
src/azure-cli-core/azure/cli/core/commands/client_factory.py:234: in get_mgmt_service_client
    credential, subscription_id,  = profile.get_login_credentials(
src/azure-cli-core/azure/cli/core/profile.py:308: in get_login_credentials
    account = self.get_subscription(subscription_id)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
                                        

self = <azure.cli.core._profile.Profile object at 0x7f7622997380>
subscription = None

    def get_subscription(self, subscription=None):  # take id or name
        subscriptions = self.load_cached_subscriptions()
        if not subscriptions:
>           raise CLIError(_AZ_LOGIN_MESSAGE)
E           knack.util.CLIError: Please run 'az login' to setup account.

src/azure-cli-core/azure/cli/core/_profile.py:558: CLIError		 azure/cli/command_modules/keyvault/tests/latest/test_keyvault_commands.py:2877
Failed test_keyvault_secret_copy_single The error message is too long, please check the pipeline log for details. azure/cli/command_modules/keyvault/tests/latest/test_keyvault_commands.py:2788
️✔️lab
️✔️latest
️✔️3.12
️✔️3.13
️✔️managedservices
️✔️latest
️✔️3.12
️✔️3.13
️✔️maps
️✔️latest
️✔️3.12
️✔️3.13
️✔️marketplaceordering
️✔️latest
️✔️3.12
️✔️3.13
️✔️monitor
️✔️latest
️✔️3.12
️✔️3.13
️✔️mysql
️✔️latest
️✔️3.12
️✔️3.13
️✔️netappfiles
️✔️latest
️✔️3.12
️✔️3.13
️✔️network
️✔️latest
️✔️3.12
️✔️3.13
️✔️policyinsights
️✔️latest
️✔️3.12
️✔️3.13
️✔️postgresql
️✔️latest
️✔️3.12
️✔️3.13
️✔️privatedns
️✔️latest
️✔️3.12
️✔️3.13
️✔️profile
️✔️latest
️✔️3.12
️✔️3.13
️✔️rdbms
️✔️latest
️✔️3.12
️✔️3.13
️✔️redis
️✔️latest
️✔️3.12
️✔️3.13
️✔️relay
️✔️latest
️✔️3.12
️✔️3.13
️✔️resource
️✔️latest
️✔️3.12
️✔️3.13
️✔️role
️✔️latest
️✔️3.12
️✔️3.13
️✔️search
️✔️latest
️✔️3.12
️✔️3.13
️✔️security
️✔️latest
️✔️3.12
️✔️3.13
️✔️servicebus
️✔️latest
️✔️3.12
️✔️3.13
️✔️serviceconnector
️✔️latest
️✔️3.12
️✔️3.13
️✔️servicefabric
️✔️latest
️✔️3.12
️✔️3.13
️✔️signalr
️✔️latest
️✔️3.12
️✔️3.13
️✔️sql
️✔️latest
️✔️3.12
️✔️3.13
️✔️sqlvm
️✔️latest
️✔️3.12
️✔️3.13
️✔️storage
️✔️latest
️✔️3.12
️✔️3.13
️✔️synapse
️✔️latest
️✔️3.12
️✔️3.13
️✔️telemetry
️✔️latest
️✔️3.12
️✔️3.13
️✔️util
️✔️latest
️✔️3.12
️✔️3.13
️✔️vm
️✔️latest
️✔️3.12
️✔️3.13

@microsoft-github-policy-service microsoft-github-policy-service bot added customer-reported Issues that are reported by GitHub users external to the Azure organization. Auto-Assign Auto assign by bot labels Feb 5, 2026
@microsoft-github-policy-service microsoft-github-policy-service bot added the Reservations az reservations label Feb 5, 2026
Copilot AI reviewed Feb 5, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR introduces a new az keyvault secret copy command that enables users to copy secrets between Azure Key Vaults. The command supports copying individual secrets or bulk copying all secrets, with built-in protection against accidental overwrites and automatic filtering of Azure-managed secrets.

Changes:

  • Added copy_secret command function with helper _copy_single_secret to handle the copy logic
  • Registered the new copy command in the keyvault secret command group
  • Added comprehensive parameter definitions for source vault, destination vault, secret selection, and overwrite behavior
  • Implemented unit tests covering various scenarios (single copy, bulk copy, overwrite protection)
  • Implemented integration tests validating end-to-end functionality
  • Added help documentation with usage examples

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 6 comments.

Show a summary per file
File Description
src/azure-cli/azure/cli/command_modules/keyvault/custom.py Core implementation of copy_secret and _copy_single_secret functions with error handling and logging
src/azure-cli/azure/cli/command_modules/keyvault/commands.py Command registration for the new copy command
src/azure-cli/azure/cli/command_modules/keyvault/_params.py Parameter definitions for source-vault, destination-vault, name, all, and overwrite options
src/azure-cli/azure/cli/command_modules/keyvault/_help.py Help text and usage examples for the copy command
src/azure-cli/azure/cli/command_modules/keyvault/tests/latest/test_keyvault_unit.py Unit tests for copy functionality covering various scenarios
src/azure-cli/azure/cli/command_modules/keyvault/tests/latest/test_keyvault_commands.py Integration tests validating end-to-end command behavior

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@yonzhan yonzhan assigned notyashhh and unassigned evelyn-ys and kairu-ms Feb 5, 2026
@yonzhan yonzhan removed the Reservations az reservations label Feb 5, 2026
@jcassanji-southworks jcassanji-southworks changed the title [KeyVault] az keyvault secret copy: Add command to copy secrets between vaults [KeyVault] az keyvault secret copy: Add command to copy secrets between vaults Feb 17, 2026
jcassanji-southworks and others added 11 commits February 17, 2026 19:47
@jcassanji-southworks
Handle 404 error in copy_secret function to improve error handling fo…
d7bf947 
…r missing secrets
@jcassanji-southworks
Reuse existing credentials in copy_secret function to optimize authen…
97df9a5 
…tication process
@jcassanji-southworks
Enhance credential retrieval in copy_secret function to support addit…
2f44235 
…ional client configurations
@jcassanji-southworks
Add unit tests for copy_secret function and remove obsolete test file
31a1c75
@jcassanji-southworks
Refactor KeyVaultCopyScenarioTest to improve test reliability and add…
6ebb73e 
… location parameter for destination Key Vault creation
@jcassanji-southworks
Add mock profile to test_keyvault_secret_copy test
9b8bddb
@jcassanji-southworks
Simplify credential handling in custom.py
c7aefd1 
Refactor credential retrieval logic in Key Vault client.
@jcassanji-southworks
Refactor test setup for KeyVault secret copy test
94b3947
@jcassanji-southworks
Refactor KeyVault secret copy tests for clarity
8d06e9c 
Refactor KeyVault copy tests to improve structure and clarity, including renaming test classes and methods for better readability. Enhance test coverage for secret copy functionality, including overwrite behavior and error cases.
@jcassanji-southworks
Refactor keyvault command tests for better mocking
95f26f3
@jcassanji-southworks
Update custom.py
18a6c23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@notyashhh notyashhh Awaiting requested review from notyashhh notyashhh is a code owner

@jiasli jiasli Awaiting requested review from jiasli jiasli is a code owner

@calvinhzy calvinhzy Awaiting requested review from calvinhzy calvinhzy is a code owner

@evelyn-ys evelyn-ys Awaiting requested review from evelyn-ys

@yonzhan yonzhan Awaiting requested review from yonzhan

@kairu-ms kairu-ms Awaiting requested review from kairu-ms

At least 1 approving review is required to merge this pull request.

Assignees

@notyashhh notyashhh

Labels

Auto-Assign Auto assign by bot customer-reported Issues that are reported by GitHub users external to the Azure organization. KeyVault az keyvault

Projects

None yet

Milestone

April 2026 (2026-04-07)

Development

Successfully merging this pull request may close these issues.

6 participants

@jcassanji-southworks @yonzhan @evelyn-ys @notyashhh @kairu-ms