az keyvault secret show: Read an Azure Key Vault Secret
az keyvault secret show returns a secret from an Azure Key Vault, with the plaintext in the value field.
This is the Azure CLI command for reading a Key Vault secret in CI. Authenticate with a service principal or managed identity and pull just the value with --query.
What it does
az keyvault secret show fetches the named secret from the given vault and returns its attributes; the plaintext is in the value field. --query value with -o tsv extracts just that string.
Common usage
az keyvault secret show --vault-name my-vault --name db-password \
--query value -o tsv
# after logging in with a service principal
az login --service-principal -u "$AZ_APP_ID" -p "$AZ_SECRET" --tenant "$AZ_TENANT"Options
| Flag | What it does |
|---|---|
| --vault-name <name> | Key Vault to read from |
| --name, -n <name> | Name of the secret |
| --version <id> | Specific secret version (default latest) |
| --query value | JMESPath to extract just the value |
| -o tsv | Output as tab-separated (raw) text |
In CI
Prefer a managed identity or OIDC federated credential over a service principal secret. The identity needs a Key Vault access policy or RBAC role granting Get on secrets. Use --query value -o tsv to get a clean value and mask it.
Common errors in CI
"(Forbidden) The user, group or application ... does not have secrets get permission on key vault" means the identity lacks the Get permission or role. "(SecretNotFound) A secret with (name/id) ... was not found" means a wrong --name or --vault-name. "Please run 'az login'" means no credentials on the runner.