Skip to content
Latchkey

az keyvault secret show: Read an Azure Key Vault Secret

az keyvault secret show returns a secret from an Azure Key Vault, with the plaintext in the value field.

This is the Azure CLI command for reading a Key Vault secret in CI. Authenticate with a service principal or managed identity and pull just the value with --query.

What it does

az keyvault secret show fetches the named secret from the given vault and returns its attributes; the plaintext is in the value field. --query value with -o tsv extracts just that string.

Common usage

Terminal
az keyvault secret show --vault-name my-vault --name db-password \
  --query value -o tsv
# after logging in with a service principal
az login --service-principal -u "$AZ_APP_ID" -p "$AZ_SECRET" --tenant "$AZ_TENANT"

Options

FlagWhat it does
--vault-name <name>Key Vault to read from
--name, -n <name>Name of the secret
--version <id>Specific secret version (default latest)
--query valueJMESPath to extract just the value
-o tsvOutput as tab-separated (raw) text

In CI

Prefer a managed identity or OIDC federated credential over a service principal secret. The identity needs a Key Vault access policy or RBAC role granting Get on secrets. Use --query value -o tsv to get a clean value and mask it.

Common errors in CI

"(Forbidden) The user, group or application ... does not have secrets get permission on key vault" means the identity lacks the Get permission or role. "(SecretNotFound) A secret with (name/id) ... was not found" means a wrong --name or --vault-name. "Please run 'az login'" means no credentials on the runner.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →