Skip to content
Latchkey

az keyvault secret show: Usage & Common CI Errors

Read a secret value from Azure Key Vault.

az keyvault secret show retrieves a secret from Azure Key Vault. The common pitfall is the vault’s permission model - RBAC versus access policies - which decides whether your CI identity can read at all.

What it does

az keyvault secret show --vault-name <vault> --name <secret> returns the secret object; --query value -o tsv extracts just the value for a shell variable. Key Vault uses either Azure RBAC or legacy access policies for authorization - the role/policy you need differs depending on which the vault is configured for.

Common usage

Terminal
# Read a secret value into a variable
DB_PASS=$(az keyvault secret show \
  --vault-name my-vault \
  --name db-password \
  --query value -o tsv)

# Show full metadata (version, attributes)
az keyvault secret show --vault-name my-vault --name db-password

Common error in CI: Forbidden / "does not have secrets get permission"

Reads fail with "(Forbidden) The user, group or application ... does not have secrets get permission on key vault" or "Caller is not authorized to perform action on resource". The cause is almost always the authorization model. Fix: if the vault uses Azure RBAC, assign the principal "Key Vault Secrets User" at the vault scope; if it uses access policies, add a policy granting get/list on secrets (az keyvault set-policy --secret-permissions get list). Also confirm network rules/firewall allow the runner, and that the --name and --vault-name are correct.

Key options

OptionPurpose
--vault-nameKey Vault name
--name / -nSecret name
--query value -o tsvExtract just the secret value
--versionA specific secret version

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →