Enable Google KMS and Azure Key Vault for publisher login tool #696

joelverhagen · 2025-10-23T14:32:53Z

Motivation and Context

This allows the private key used for DNS or HTTP based authentication to be stored securely in a cloud key management system. These services often provide HSM storage which makes it very hard to leak the private key.

The full context is described in my design document here:
#482 (comment)

How Has This Been Tested?

I have tested it against PROD using an Ed25519 key stored in Google KMS. I have added unit tests. I have tested both ECDSA P-384 and Ed25519 with Az KV and Google KMS against a locally running server.

Breaking Changes

None intended.

Types of changes

Bug fix (non-breaking change which fixes an issue)
New feature (non-breaking change which adds functionality)
Breaking change (fix or feature that would cause existing functionality to change)
Documentation update

Checklist

I have read the MCP Documentation
My code follows the repository's style guidelines
New and existing tests pass locally
I have added appropriate error handling
I have added or updated documentation as needed

Additional context

Design doc is in this issue comment: modelcontextprotocol#482 (comment)

Add key length check # Conflicts: # cmd/publisher/auth/common.go

joelverhagen · 2025-10-27T13:56:31Z

@rdimitrov - thanks for fixing main after I broke it with the crypto parse function. I created the PR before we moved back to Go 1.24 and didn't notice 🤦. I have added a length validation since the private key length is known per curve in this PR, to improve user experience (I had it in a previous iteration of this PR).

joelverhagen · 2025-10-27T13:57:44Z

@domdomegg, @toby - this PR is ready for review! Once this is in Microsoft will be able to publish to the MCP Registry :)

cmd/publisher/auth/common.go

cmd/publisher/commands/login.go

domdomegg

LGTM, happy to merge

docs/reference/cli/commands.md

Co-authored-by: adam jones <domdomegg+git@gmail.com>

# Conflicts: # go.mod # go.sum

joelverhagen marked this pull request as draft October 23, 2025 14:37

joelverhagen force-pushed the joelverhagen/azkv branch 2 times, most recently from 4daf89b to 60001e6 Compare October 23, 2025 15:13

joelverhagen marked this pull request as ready for review October 23, 2025 15:16

Add Azure Key Vault and Google KMS support

314f336

Design doc is in this issue comment: modelcontextprotocol#482 (comment)

joelverhagen force-pushed the joelverhagen/azkv branch from 60001e6 to 314f336 Compare October 24, 2025 18:08

joelverhagen added 2 commits October 24, 2025 14:44

Implement parseRawPrivateKey for go 1.24

7c0bc3d

Merge remote-tracking branch 'origin/main' into joelverhagen/azkv

df8cb1c

Add key length check # Conflicts: # cmd/publisher/auth/common.go