[KeyVault] az keyvault secret copy: Add command to copy secrets between vaults

[jcassanji-southworks]

Related command
az keyvault secret copy

Description
This PR introduces a new command az keyvault secret copy to simplify the process of copying secrets from one Key Vault to another. It supports copying individual secrets or all secrets in bulk, with options to control overwrite behavior and preserve metadata.

Motivation and Benefits
Currently, users needing to migrate or replicate secrets between Key Vaults (e.g., promoting from Dev to Prod, or replicating for DR) must write complex scripts. This new command standardizes this workflow into a single CLI operation.

• Productivity: Reduces multi-step scripting to a single command.
• Accuracy: Ensures all metadata (tags, content-type) is preserved.
• Safety: Built-in protection against accidental overwrites and automatic filtering of Azure-managed secrets.

Implementation Details

• Registered copy command under keyvault secret group.
• Implemented core logic using azure-keyvault-secrets track2 SDK.
• Added comprehensive unit tests covering single copy, bulk copy, overwrite protection, and metadata preservation.

Testing Guide

1. Copy a single secret:

   az keyvault secret copy --source-vault <SourceKV> --destination-vault <DestKV> --name <SecretName>

2. Copy all secrets:

   az keyvault secret copy --source-vault <SourceKV> --destination-vault <DestKV> --all

3. Force copy (overwrite existing):

   az keyvault secret copy --source-vault <SourceKV> --destination-vault <DestKV> --name <SecretName> --overwrite

History Notes
[KeyVault] az keyvault secret copy: Add new command to copy secrets between Key Vaults

---

This checklist is used to make sure that common guidelines for a pull request are followed.

• The PR title and description has followed the guideline in Submitting Pull Requests.

• I adhere to the Command Guidelines.

• I adhere to the Error Handling Guidelines.

[azure-client-tools-bot-prd]

❌AzureCLI-FullTest

️✔️acr

️✔️latest

️✔️3.12

️✔️3.13

️✔️acs

️✔️latest

️✔️3.12

️✔️3.13

️✔️advisor

️✔️latest

️✔️3.12

️✔️3.13

️✔️ams

️✔️latest

️✔️3.12

️✔️3.13

️✔️apim

️✔️latest

️✔️3.12

️✔️3.13

️✔️appconfig

️✔️latest

️✔️3.12

️✔️3.13

️✔️appservice

️✔️latest

️✔️3.12

️✔️3.13

️✔️aro

️✔️latest

️✔️3.12

️✔️3.13

️✔️backup

️✔️latest

️✔️3.12

️✔️3.13

️✔️batch

️✔️latest

️✔️3.12

️✔️3.13

️✔️batchai

️✔️latest

️✔️3.12

️✔️3.13

️✔️billing

️✔️latest

️✔️3.12

️✔️3.13

️✔️botservice

️✔️latest

️✔️3.12

️✔️3.13

️✔️cdn

️✔️latest

️✔️3.12

️✔️3.13

️✔️cloud

️✔️latest

️✔️3.12

️✔️3.13

️✔️cognitiveservices

️✔️latest

️✔️3.12

️✔️3.13

️✔️compute_recommender

️✔️latest

️✔️3.12

️✔️3.13

️✔️computefleet

️✔️latest

️✔️3.12

️✔️3.13

️✔️config

️✔️latest

️✔️3.12

️✔️3.13

️✔️configure

️✔️latest

️✔️3.12

️✔️3.13

️✔️consumption

️✔️latest

️✔️3.12

️✔️3.13

️✔️container

️✔️latest

️✔️3.12

️✔️3.13

️✔️containerapp

️✔️latest

️✔️3.12

️✔️3.13

️✔️core

️✔️latest

️✔️3.12

️✔️3.13

️✔️cosmosdb

️✔️latest

️✔️3.12

️✔️3.13

️✔️databoxedge

️✔️latest

️✔️3.12

️✔️3.13

️✔️dls

️✔️latest

️✔️3.12

️✔️3.13

️✔️dms

️✔️latest

️✔️3.12

️✔️3.13

️✔️eventgrid

️✔️latest

️✔️3.12

️✔️3.13

️✔️eventhubs

️✔️latest

️✔️3.12

️✔️3.13

️✔️feedback

️✔️latest

️✔️3.12

️✔️3.13

️✔️find

️✔️latest

️✔️3.12

️✔️3.13

️✔️hdinsight

️✔️latest

️✔️3.12

️✔️3.13

️✔️identity

️✔️latest

️✔️3.12

️✔️3.13

️✔️iot

️✔️latest

️✔️3.12

️✔️3.13

❌keyvault

❌latest

❌3.12

Type	Test Case	Error Message	Line
Failed	test_keyvault_secret_copy	self = <azure.cli.testsdk.base.ExecutionResult object at 0x7fb67d8a7e30> cli_ctx = <azure.cli.core.mock.DummyCli object at 0x7fb67f14a090> command = 'group create --location westus --name cli_test_keyvault_copypemyp6bl4yyrd757ik7urvlatll5kbp47p7hxl7k4uyrljs5ajd6o --tag product=azurecli cause=automation test date=2026-02-18T04:09:24Z test=test_keyvault_secret_copy module=keyvault' expect_failure = False     def in_process_execute(self, cli_ctx, command, expect_failure=False):         from io import StringIO         from vcr.errors import CannotOverwriteExistingCassetteException              if command.startswith('az '):             command = command[3:]              stdout_buf = StringIO()         logging_buf = StringIO()         try:             # issue: stderr cannot be redirect in this form, as a result some failure information             # is lost when command fails. >           self.exit_code = cli_ctx.invoke(shlex.split(command), out_file=stdout_buf) or 0                              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-testsdk/azure/cli/testsdk/base.py:303:                                           env/lib/python3.12/site-packages/knack/cli.py:245: in invoke     exit_code = self.exception_handler(ex)                 ^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/init.py:141: in exception_handler     return handle_exception(ex)            ^^^^^^^^^^^^^^^^^^^^                                          ex = CLIError("Please run 'az login' to setup account."), args = (), kwargs = {}     def handle_main_exception(ex, *args, **kwargs):  # pylint: disable=unused-argument         if isinstance(ex, CannotOverwriteExistingCassetteException):             # This exception usually caused by a no match HTTP request. This is a product error             # that is caused by change of SDK invocation.             raise ex      >       raise CliExecutionError(ex) E       azure.cli.testsdk.exceptions.CliExecutionError: The CLI throws exception CLIError during execution and fails the command. src/azure-cli-testsdk/azure/cli/testsdk/patches.py:35: CliExecutionError During handling of the above exception, another exception occurred: src/azure-cli-testsdk/azure/cli/testsdk/scenario_tests/decorators.py:40: in preparer_wrapper     fn(test_class_instance, **kwargs) src/azure-cli-testsdk/azure/cli/testsdk/scenario_tests/preparers.py:39: in preparer_wrapper     parameter_update = self.create_resource( src/azure-cli-testsdk/azure/cli/testsdk/preparers.py:99: in create_resource     self.live_only_execute(self.cli_ctx, template.format(self.location, name)) src/azure-cli-testsdk/azure/cli/testsdk/preparers.py:39: in live_only_execute     return self.raw_execute(cli_ctx, command, expect_failure)            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-testsdk/azure/cli/testsdk/base.py:252: in init     self.in_process_execute(cli_ctx, command, expect_failure=expect_failure) src/azure-cli-testsdk/azure/cli/testsdk/base.py:315: in in_process_execute     raise ex.exception env/lib/python3.12/site-packages/knack/cli.py:233: in invoke     cmd_result = self.invocation.execute(args)                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/commands/init.py:669: in execute     raise ex src/azure-cli-core/azure/cli/core/commands/init.py:737: in run_jobs_serially     results.append(self.run_job(expanded_arg, cmd_copy))                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/commands/init.py:706: in run_job     result = cmd_copy(params)              ^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/commands/init.py:336: in call     return self.handler(*args, **kwargs)            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/commands/command_operation.py:120: in handler     return op(**command_args)            ^^^^^^^^^^^^^^^^^^ src/azure-cli/azure/cli/command_modules/resource/custom.py:1648: in create_resource_group     rcf = resource_client_factory(cmd.cli_ctx)           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli/azure/cli/command_modules/resource/client_factory.py:10: in resource_client_factory     return get_mgmt_service_client(cli_ctx, ResourceType.MGMT_RESOURCE_RESOURCES)            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/commands/client_factory.py:83: in get_mgmt_service_client     client,  = get_mgmt_service_client(cli_ctx, client_type, subscription_id=subscription_id, src/azure-cli-core/azure/cli/core/commands/client_factory.py:234: in get_mgmt_service_client     credential, subscription_id,  = profile.get_login_credentials( src/azure-cli-core/azure/cli/core/profile.py:308: in get_login_credentials     account = self.get_subscription(subscription_id)               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^                                          self = <azure.cli.core._profile.Profile object at 0x7fb67d48f0b0> subscription = None     def get_subscription(self, subscription=None):  # take id or name         subscriptions = self.load_cached_subscriptions()         if not subscriptions: >           raise CLIError(_AZ_LOGIN_MESSAGE) E           knack.util.CLIError: Please run 'az login' to setup account. src/azure-cli-core/azure/cli/core/_profile.py:558: CLIError	azure/cli/command_modules/keyvault/tests/latest/test_keyvault_commands.py:2782

❌3.13

Type	Test Case	Error Message	Line
Failed	test_keyvault_secret_copy	self = <azure.cli.testsdk.base.ExecutionResult object at 0x7f90f23e0ec0> cli_ctx = <azure.cli.core.mock.DummyCli object at 0x7f90f3ae0190> command = 'group create --location westus --name cli_test_keyvault_copylnm4ak66gfsscnjvmokjfmofmgrcnn5ogrthe3wmtilvir4ebt2yf --tag product=azurecli cause=automation test date=2026-02-18T04:10:07Z test=test_keyvault_secret_copy module=keyvault' expect_failure = False     def in_process_execute(self, cli_ctx, command, expect_failure=False):         from io import StringIO         from vcr.errors import CannotOverwriteExistingCassetteException              if command.startswith('az '):             command = command[3:]              stdout_buf = StringIO()         logging_buf = StringIO()         try:             # issue: stderr cannot be redirect in this form, as a result some failure information             # is lost when command fails. >           self.exit_code = cli_ctx.invoke(shlex.split(command), out_file=stdout_buf) or 0                              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-testsdk/azure/cli/testsdk/base.py:303:                                           env/lib/python3.13/site-packages/knack/cli.py:245: in invoke     exit_code = self.exception_handler(ex)                 ^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/init.py:141: in exception_handler     return handle_exception(ex)            ^^^^^^^^^^^^^^^^^^^^                                          ex = CLIError("Please run 'az login' to setup account."), args = (), kwargs = {}     def handle_main_exception(ex, *args, **kwargs):  # pylint: disable=unused-argument         if isinstance(ex, CannotOverwriteExistingCassetteException):             # This exception usually caused by a no match HTTP request. This is a product error             # that is caused by change of SDK invocation.             raise ex      >       raise CliExecutionError(ex) E       azure.cli.testsdk.exceptions.CliExecutionError: The CLI throws exception CLIError during execution and fails the command. src/azure-cli-testsdk/azure/cli/testsdk/patches.py:35: CliExecutionError During handling of the above exception, another exception occurred: src/azure-cli-testsdk/azure/cli/testsdk/scenario_tests/decorators.py:40: in preparer_wrapper     fn(test_class_instance, **kwargs) src/azure-cli-testsdk/azure/cli/testsdk/scenario_tests/preparers.py:39: in preparer_wrapper     parameter_update = self.create_resource( src/azure-cli-testsdk/azure/cli/testsdk/preparers.py:99: in create_resource     self.live_only_execute(self.cli_ctx, template.format(self.location, name)) src/azure-cli-testsdk/azure/cli/testsdk/preparers.py:39: in live_only_execute     return self.raw_execute(cli_ctx, command, expect_failure)            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-testsdk/azure/cli/testsdk/base.py:252: in init     self.in_process_execute(cli_ctx, command, expect_failure=expect_failure) src/azure-cli-testsdk/azure/cli/testsdk/base.py:315: in in_process_execute     raise ex.exception env/lib/python3.13/site-packages/knack/cli.py:233: in invoke     cmd_result = self.invocation.execute(args)                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/commands/init.py:669: in execute     raise ex src/azure-cli-core/azure/cli/core/commands/init.py:737: in run_jobs_serially     results.append(self.run_job(expanded_arg, cmd_copy))                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/commands/init.py:706: in run_job     result = cmd_copy(params)              ^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/commands/init.py:336: in call     return self.handler(*args, **kwargs)            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/commands/command_operation.py:120: in handler     return op(**command_args)            ^^^^^^^^^^^^^^^^^^ src/azure-cli/azure/cli/command_modules/resource/custom.py:1648: in create_resource_group     rcf = resource_client_factory(cmd.cli_ctx)           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli/azure/cli/command_modules/resource/client_factory.py:10: in resource_client_factory     return get_mgmt_service_client(cli_ctx, ResourceType.MGMT_RESOURCE_RESOURCES)            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/commands/client_factory.py:83: in get_mgmt_service_client     client,  = get_mgmt_service_client(cli_ctx, client_type, subscription_id=subscription_id, src/azure-cli-core/azure/cli/core/commands/client_factory.py:234: in get_mgmt_service_client     credential, subscription_id,  = profile.get_login_credentials( src/azure-cli-core/azure/cli/core/profile.py:308: in get_login_credentials     account = self.get_subscription(subscription_id)               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^                                          self = <azure.cli.core._profile.Profile object at 0x7f90fa27f380> subscription = None     def get_subscription(self, subscription=None):  # take id or name         subscriptions = self.load_cached_subscriptions()         if not subscriptions: >           raise CLIError(_AZ_LOGIN_MESSAGE) E           knack.util.CLIError: Please run 'az login' to setup account. src/azure-cli-core/azure/cli/core/_profile.py:558: CLIError	azure/cli/command_modules/keyvault/tests/latest/test_keyvault_commands.py:2782

️✔️lab

️✔️latest

️✔️3.12

️✔️3.13

️✔️managedservices

️✔️latest

️✔️3.12

️✔️3.13

️✔️maps

️✔️latest

️✔️3.12

️✔️3.13

️✔️marketplaceordering

️✔️latest

️✔️3.12

️✔️3.13

️✔️monitor

️✔️latest

️✔️3.12

️✔️3.13

️✔️mysql

️✔️latest

️✔️3.12

️✔️3.13

️✔️netappfiles

️✔️latest

️✔️3.12

️✔️3.13

️✔️network

️✔️latest

️✔️3.12

️✔️3.13

️✔️policyinsights

️✔️latest

️✔️3.12

️✔️3.13

️✔️postgresql

️✔️latest

️✔️3.12

️✔️3.13

️✔️privatedns

️✔️latest

️✔️3.12

️✔️3.13

️✔️profile

️✔️latest

️✔️3.12

️✔️3.13

️✔️rdbms

️✔️latest

️✔️3.12

️✔️3.13

️✔️redis

️✔️latest

️✔️3.12

️✔️3.13

️✔️relay

️✔️latest

️✔️3.12

️✔️3.13

️✔️resource

️✔️latest

️✔️3.12

️✔️3.13

️✔️role

️✔️latest

️✔️3.12

️✔️3.13

️✔️search

️✔️latest

️✔️3.12

️✔️3.13

️✔️security

️✔️latest

️✔️3.12

️✔️3.13

️✔️servicebus

️✔️latest

️✔️3.12

️✔️3.13

️✔️serviceconnector

️✔️latest

️✔️3.12

️✔️3.13

️✔️servicefabric

️✔️latest

️✔️3.12

️✔️3.13

️✔️signalr

️✔️latest

️✔️3.12

️✔️3.13

️✔️sql

️✔️latest

️✔️3.12

️✔️3.13

️✔️sqlvm

️✔️latest

️✔️3.12

️✔️3.13

️✔️storage

️✔️latest

️✔️3.12

️✔️3.13

️✔️synapse

️✔️latest

️✔️3.12

️✔️3.13

️✔️telemetry

️✔️latest

️✔️3.12

️✔️3.13

️✔️util

️✔️latest

️✔️3.12

️✔️3.13

️✔️vm

️✔️latest

️✔️3.12

️✔️3.13

[azure-client-tools-bot-prd]

⚠️AzureCLI-BreakingChangeTest

⚠️keyvault

rule	cmd_name	rule_message	suggest_message
⚠️ 1001 - CmdAdd	keyvault secret copy	cmd keyvault secret copy added

[yonzhan]

Thank you for your contribution! We will review the pull request and get back to you soon.

[github-actions]

The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR.

Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions).
After that please run the following commands to enable git hooks:

pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>

[Copilot]

Pull request overview

This PR introduces a new az keyvault secret copy command that enables users to copy secrets between Azure Key Vaults. The command supports copying individual secrets or bulk copying all secrets, with built-in protection against accidental overwrites and automatic filtering of Azure-managed secrets.

Changes:

• Added copy_secret command function with helper _copy_single_secret to handle the copy logic
• Registered the new copy command in the keyvault secret command group
• Added comprehensive parameter definitions for source vault, destination vault, secret selection, and overwrite behavior
• Implemented unit tests covering various scenarios (single copy, bulk copy, overwrite protection)
• Implemented integration tests validating end-to-end functionality
• Added help documentation with usage examples

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
src/azure-cli/azure/cli/command_modules/keyvault/custom.py	Core implementation of copy_secret and _copy_single_secret functions with error handling and logging
src/azure-cli/azure/cli/command_modules/keyvault/commands.py	Command registration for the new copy command
src/azure-cli/azure/cli/command_modules/keyvault/_params.py	Parameter definitions for source-vault, destination-vault, name, all, and overwrite options
src/azure-cli/azure/cli/command_modules/keyvault/_help.py	Help text and usage examples for the copy command
src/azure-cli/azure/cli/command_modules/keyvault/tests/latest/test_keyvault_unit.py	Unit tests for copy functionality covering various scenarios
src/azure-cli/azure/cli/command_modules/keyvault/tests/latest/test_keyvault_commands.py	Integration tests validating end-to-end command behavior

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.