feat: add azd ai agent connection commands + credential resolution in run#8174
Merged
Conversation
Add connection CRUD commands as a sibling subcommand group under azd ai: - azd ai connection list (ARM with server-side category filter) - azd ai connection show (ARM metadata + optional data-plane credentials) - azd ai connection create (ARM PUT with --force upsert, pre-check GET) - azd ai connection delete (ARM DELETE with confirmation prompt) Architecture: - Extension namespace changed from ai.agent to ai - Connection code in internal/connections/ (self-contained, no agent imports) - Hybrid API: ARM SDK for CRUD, data-plane for credential fetch - 5-level project endpoint resolution cascade - ARM context discovery via data-plane bootstrap GET - Credential reference strings in show output for agent.yaml Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
During local agent startup, scan the agent manifest environment_variables for connection reference patterns, fetch credentials from the Foundry data plane via POST getConnectionWithCredentials, and inject resolved values into the spawned agent process environment. - Reads agent.manifest.yaml / agent.yaml from the project directory - Matches pattern and resolves via data-plane API - Caches per connection name to avoid redundant API calls - Logs key names only, never credential values - Fails gracefully with a warning if resolution fails Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Revert namespace change from ai to ai.agent. Connection commands now live at azd ai agent connection until the azd core namespace change lands. Per Travis: write commands under azd ai agent for now, keep code in separate files/packages for easy lift-and-shift when Jeffrey's core change is ready. Changes: - Revert extension.yaml namespace to ai.agent - Revert main.go to original import - Add connection command to existing cmd/root.go NewRootCommand - Remove unused internal/root.go and exported SetupDebugLogging The connection code stays self-contained in internal/connections/ with no imports from internal/cmd/ (agent code). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The data-plane getConnectionWithCredentials API returns credentials as flat key-value pairs alongside the type field, not nested under a keys sub-object. Fix ConnectionCredentials to parse raw JSON correctly: - ApiKey: extracts "key" field - CustomKeys: extracts all non-type fields as custom keys - Fix JSON output double-nesting (credentials.credentials) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The connection credential resolver now handles both file formats: - agent.manifest.yaml (AgentManifest with template wrapper) - agent.yaml (ContainerAgent without wrapper) Finds first file with environment_variables, parses both formats. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The credential resolver now specifically looks for files containing the connection reference pattern, and checks agent.yaml first since that is the file the agent app code references directly. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The requirement spec (PR #165) uses kebab-case for enum values: api-key, custom-keys, none (not ApiKey, CustomKeys, None). Updated --auth-type default, switch cases, help text, and examples. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Nathandrake229
requested review from
JeffreyCA,
hemarina,
jongio,
rajeshkamal5050,
tg-msft,
therealjohn,
trangevi,
trrwilson,
vhvb1989,
wbreza and
weikanglim
as code owners
Per the requirement spec (PR #165): - update: partial merge via GET-then-PUT (--target, --key, --custom-key) - metadata set/remove/list: manage metadata key-value pairs - key set/remove/list: manage credential keys via data-plane Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Adds Foundry project connection management commands to the azure.ai.agents extension and enhances azd ai agent run to resolve ${{connections.<name>.credentials.<key>}} references from agent.yaml at runtime via the Foundry data-plane API.
Changes:
- Introduces
azd ai agent connection {list,show,create,delete}command group backed by ARM CRUD + data-plane credential fetch. - Adds a data-plane client + models and a small structured error helper package for the new connection commands.
- Updates
azd ai agent runto scan the agent manifest for connection credential references and inject resolved secrets into the spawned agent process environment.
Reviewed changes
Copilot reviewed 14 out of 15 changed files in this pull request and generated 15 comments.
Show a summary per file
| File | Description |
|---|---|
| cli/azd/extensions/azure.ai.agents/internal/connections/pkg/connections/models.go | Adds connection/credential models and a helper to parse credential payloads. |
| cli/azd/extensions/azure.ai.agents/internal/connections/pkg/connections/data_client.go | Adds a Foundry data-plane client for listing connections and fetching credentials. |
| cli/azd/extensions/azure.ai.agents/internal/connections/exterrors/errors.go | Adds helpers to build structured extension errors and map Azure SDK errors. |
| cli/azd/extensions/azure.ai.agents/internal/connections/exterrors/codes.go | Defines error codes and operation names used by the connections feature. |
| cli/azd/extensions/azure.ai.agents/internal/connections/cmd/root.go | Wires the connection subcommand group and shared --project-endpoint flag. |
| cli/azd/extensions/azure.ai.agents/internal/connections/cmd/endpoint.go | Implements project endpoint resolution and ARM context discovery. |
| cli/azd/extensions/azure.ai.agents/internal/connections/cmd/context.go | Creates shared connection context (ARM + data-plane clients, credential creation). |
| cli/azd/extensions/azure.ai.agents/internal/connections/cmd/connection.go | Implements list/show/create/delete command handlers and output formatting. |
| cli/azd/extensions/azure.ai.agents/internal/cmd/connection_credentials.go | Adds agent.yaml scanning + credential reference resolution for run. |
| cli/azd/extensions/azure.ai.agents/internal/cmd/run.go | Calls connection credential resolution and injects resolved secrets into env. |
| cli/azd/extensions/azure.ai.agents/internal/cmd/root.go | Registers the new connection command group on the extension root. |
| cli/azd/extensions/azure.ai.agents/go.mod | Adds ARM SDK dependency needed by the new connection commands. |
| cli/azd/extensions/azure.ai.agents/go.sum | Updates dependency checksums for the new ARM SDK module. |
ARM PUT rejects bodies without credentials for CustomKeys/ApiKey auth. ARM GET never returns credentials. Solution: always fetch credentials from data-plane before PUTting back. Added rebuildAndPutConnection helper used by update, metadata set, and metadata remove commands. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Review fixes: - Remove RawFields JSON tag (fixes double nesting) - Add pagination to ListConnections - Use errors.AsType in ServiceFromAzure - Fix error suggestion to reference existing commands - Add nil check on props in show command - Add normalizeKind mapping (kebab-case CLI to PascalCase ARM) - Add input validation for create (kind, target, key) - Add warning for malformed key=value pairs - Align YAML import with agent_yaml package - Check both AZURE_AI_PROJECT_ENDPOINT and FOUNDRY_PROJECT_ENDPOINT - Add TODO for tests and env var docs - Break long lines for lll linter CI fixes: - Run go fix for modernizations - Add tavily/tvly to cspell config Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Use the existing resolveAgentEndpoint function for credential resolution endpoint discovery instead of hardcoding AZURE_AI_PROJECT_ENDPOINT and FOUNDRY_PROJECT_ENDPOINT key names. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- gofmt: fix formatting in exterrors/codes.go - gosec G304: add nolint comments for os.ReadFile on known project paths - cspell: rename connectioncmd alias to conncmd to avoid unknown word Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
📋 Prioritization NoteThanks for the contribution! The linked issue isn't in the current milestone yet. |
therealjohn
reviewed
May 14, 2026
trangevi
requested changes
May 14, 2026
- Refactor all connection commands (list, show, create, update, delete) to use the Action pattern: RunE validates inputs, action struct runs. - Remove cobra.Command dependency from resolveProjectEndpoint and resolveConnectionContext for better testability. - Remove stub 'key remove' command (not yet supported by ARM API). - Remove TODO comment in connection_credentials.go (replaced by tests). - Add TODO to unify endpoint resolution with project set/unset commands. - Extract extractConnectionRefs and lookupCredentialValue as testable pure functions from resolveConnectionCredentials. - Add unit tests for: parseEndpointComponents, parseARMResourceID, normalizeKind, normalizeAuthType, parseKVPtrMap, buildCredentialReferences, ParseCredentials, extractConnectionRefs, lookupCredentialValue, findManifestInDir, connectionRefPattern. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Remove connection key and metadata subcommands as agreed by @therealjohn and @trangevi — these are redundant with 'connection show --show-credentials' and 'connection update --metadata'. Removes: connection_key.go, connection_metadata.go, rebuildAndPutConnection helper, and unused operation codes. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
trangevi
approved these changes
May 15, 2026
trangevi
requested changes
May 15, 2026
Extension-specific words (conncmd, tavily, tvly) belong in the extension's own cspell.yaml, not the core cli/azd/.vscode/cspell.yaml. The extension config already has these words. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
trangevi
approved these changes
May 15, 2026
Member
|
/check-enforcer override |
Contributor
|
@microsoft-github-policy-service rerun |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds
azd ai agent connectioncommands for managing Foundry project connections, and credential reference resolution inazd ai agent run.Design spec: #8138
Namespace issue: #8166
PM spec: coreai-microsoft/foundrysdk_specs#165
New Commands
azd ai agent connection listList all connections in the Foundry project.
azd ai agent connection show <name>Show connection details. Metadata only by default.
When
--show-credentialsis used, output includes credential reference strings for agent.yaml:azd ai agent connection create <name>Create a new connection. Fails if connection already exists unless
--forceis used.Examples:
azd ai agent connection update <name>Update a connection's target or credential values. Only specified flags are changed; all other fields are preserved (GET-then-PUT merge). Does not accept --auth-type (delete and recreate to change auth type).
Examples:
azd ai agent connection update prod-search --key "$NEW_SEARCH_KEY" azd ai agent connection update my-conn --target https://new-endpoint.comazd ai agent connection delete <name>Delete a connection. Prompts for confirmation unless
--forceis used.azd ai agent connection metadata set|remove|listManage metadata key-value pairs on a connection. Metadata is organizational data attached to connections (e.g.,
type: custom_MCP,ApiType: Azure).azd ai agent connection key listList credential keys on a connection (fetches from data-plane). Shows actual secret values.
Agent Run Enhancement
Credential reference resolution in
azd ai agent runWhen
azd ai agent runstarts a local agent, it now scansagent.yamlenvironment_variablesfor${{connections.<name>.credentials.<key>}}patterns, resolves them via the Foundry data-plane API, and injects actual credential values into the spawned agent process.Example agent.yaml:
At
azd ai agent runtime, the extension fetches the credential from the Foundry project and setsTAVILY_API_KEY=<actual-secret>in the agent process.This is additive — existing env var handling (
${VAR}references, FOUNDRY_* translations) is unchanged.Architecture
internal/connections/— self-contained, no agent imports, easy to lift-and-shiftarmcognitiveservices.ProjectConnectionsClient) for CRUD, data-plane (POST getConnectionWithCredentials) for credential fetchrebuildAndPutConnectionhelper fetches credentials from data-plane before every PUT (used by update, metadata set, metadata remove)idfield)-pflag > azd env > global config > env var > errorazd ai agent connectionuntil core namespace change lands ([Agents Extension] azd ai connection commands — blocked by namespace prefix conflict #8166)Files changed
New files (connection commands):
internal/connections/cmd/root.go— connection subcommand group with-pflaginternal/connections/cmd/endpoint.go— endpoint resolution + ARM discoveryinternal/connections/cmd/context.go— shared connection context (ARM + data-plane clients)internal/connections/cmd/connection.go— list, show, create, update, delete + helpersinternal/connections/cmd/connection_metadata.go— metadata set, remove, listinternal/connections/cmd/connection_key.go— key set, remove, listinternal/connections/pkg/connections/models.go— Connection, ConnectionCredentials typesinternal/connections/pkg/connections/data_client.go— data-plane clientinternal/connections/exterrors/errors.go— structured error factoriesinternal/connections/exterrors/codes.go— error codesNew files (agent run enhancement):
internal/cmd/connection_credentials.go— scans manifest for connection refs, resolves via data-planeModified files:
internal/cmd/root.go— addsconnectionsubcommand (one line)internal/cmd/run.go— adds credential resolution step after existing env var loadinggo.mod/go.sum— addsarmcognitiveservicesSDK dependency