Skip to content
Latchkey

az keyvault secret show: Read Key Vault in CI

Retrieve a secret value from Azure Key Vault.

az keyvault secret show fetches a secret from Key Vault. In CI you read it into an environment variable to inject credentials at runtime. Use --query value -o tsv to get the raw payload without JSON wrapping.

Common flags

  • --vault-name VAULT and -n NAME - vault and secret
  • --query value -o tsv - emit just the plaintext value
  • --version VERSION - read a specific secret version

Example in CI

Read a secret into an environment variable.

shell
DB_PASS=$(az keyvault secret show \
  --vault-name my-vault -n db-password \
  --query value -o tsv)
export DB_PASS

Common errors in CI

  • Forbidden ... does not have secrets get permission - missing access policy or Key Vault Secrets User role
  • SecretNotFound - wrong secret name or vault
  • A vault with the same name ... or vault not found - wrong --vault-name

Key takeaways

  • Reads a Key Vault secret payload at runtime.
  • Use --query value -o tsv to get the raw value for shell variables.
  • Grant the Key Vault Secrets User role (or an access policy) to the identity.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →