az keyvault secret show: Read Key Vault in CI
Retrieve a secret value from Azure Key Vault.
az keyvault secret show fetches a secret from Key Vault. In CI you read it into an environment variable to inject credentials at runtime. Use --query value -o tsv to get the raw payload without JSON wrapping.
Common flags
--vault-name VAULTand-n NAME- vault and secret--query value -o tsv- emit just the plaintext value--version VERSION- read a specific secret version
Example in CI
Read a secret into an environment variable.
shell
DB_PASS=$(az keyvault secret show \
--vault-name my-vault -n db-password \
--query value -o tsv)
export DB_PASSCommon errors in CI
- Forbidden ... does not have secrets get permission - missing access policy or Key Vault Secrets User role
- SecretNotFound - wrong secret name or vault
- A vault with the same name ... or vault not found - wrong --vault-name
Key takeaways
- Reads a Key Vault secret payload at runtime.
- Use --query value -o tsv to get the raw value for shell variables.
- Grant the Key Vault Secrets User role (or an access policy) to the identity.
Related guides
az login: Authenticate Azure CLI in CIAuthenticate the Azure CLI in CI with a service principal or federated token: flags, an example, and the auth…
az group create: Provision Resource Groups in CICreate an Azure resource group from CI: required flags, an idempotent example, and the location and permissio…
gcloud secrets versions access: Read Secrets in CIRead a Secret Manager secret value from a pipeline: required arguments, a CI example, and the access errors y…