Azure Pipelines AzureKeyVault Task - Secret Not Found / Access Denied
The AzureKeyVault@2 task could not read a secret. Either the secret name does not exist in the vault, the service connection’s identity lacks Get/List on secrets, or the wrong vault/connection was referenced.
What this error means
The task fails listing or fetching secrets with a "not found" or "access denied"/"Forbidden" message. Downstream steps that expect the secret as a variable then fail because it was never set.
##[error]Get secret 'db-password' from Azure Key Vault failed.
The user, group or application does not have secrets get permission on
key vault 'prod-kv'.Common causes
Service connection identity lacks Get/List
The app registration / managed identity behind the service connection needs a Key Vault access policy (or RBAC role) granting secret Get and List. Without it, even an existing secret is forbidden.
Wrong secret name or vault
A typo in SecretsFilter, a secret that lives in a different vault, or a wrong KeyVaultName makes the lookup return nothing.
How to fix it
Reference the vault and secrets correctly
Point the task at the right service connection, vault, and secret filter.
steps:
- task: AzureKeyVault@2
inputs:
azureSubscription: 'azure-prod'
KeyVaultName: 'prod-kv'
SecretsFilter: 'db-password,api-key'
RunAsPreJob: trueGrant the identity Get/List on secrets
- Identify the service-connection app/identity from the error.
- On the Key Vault, add an access policy (or RBAC "Key Vault Secrets User") granting Get and List on secrets.
- Re-run; secrets become available as pipeline variables (masked).
How to prevent it
- Grant the service connection identity least-privilege Get/List on the vault.
- Keep secret names and the vault name in sync with
SecretsFilter. - Treat fetched secrets as masked variables; never echo them.