Skip to content
Latchkey

How to Load Azure Key Vault Secrets in GitHub Actions

azure/login with OIDC gets a token, then az keyvault secret show reads each secret so you can mask and export it.

Log in with azure/login using federated credentials (client-id, tenant-id, subscription-id), then read values with az keyvault secret show, mask them, and write them to $GITHUB_ENV.

Steps

  • Add permissions: id-token: write and log in with azure/login (OIDC).
  • Run az keyvault secret show --vault-name <vault> --name <secret>.
  • Mask the value with ::add-mask:: and append it to $GITHUB_ENV.
  • Grant the federated identity a Key Vault access policy or RBAC role.

Workflow

.github/workflows/ci.yml
permissions:
  id-token: write
  contents: read
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: azure/login@v2
        with:
          client-id: ${{ secrets.AZURE_CLIENT_ID }}
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
      - run: |
          VALUE=$(az keyvault secret show --vault-name kv-prod \
            --name db-password --query value -o tsv)
          echo "::add-mask::$VALUE"
          echo "DB_PASSWORD=$VALUE" >> "$GITHUB_ENV"

Gotchas

  • The app registration needs a Get secret permission (access policy) or the Key Vault Secrets User role.
  • Use -o tsv so the value is raw text, not JSON-quoted.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →