vault kv get Command Reference
Read a secret from the Vault KV secrets engine.
vault kv get retrieves a secret from a KV v1 or v2 mount. In CI you authenticate first, then read a specific field to inject into a deploy without echoing it to logs.
What it does
vault kv get fetches the data stored at a KV path along with metadata (version, timestamps for KV v2). With -field it prints just one value, which is the form pipelines use to pull a single credential.
Common flags and usage
- -field=KEY: print only the value of one field
- -format=json: emit the full response as JSON
- -version=N: read a specific version (KV v2)
- -mount=PATH: specify the KV mount explicitly
- requires VAULT_ADDR and a valid token in the environment
Example
- name: Read database password
env:
VAULT_ADDR: https://vault.internal:8200
run: |
DB_PASS=$(vault kv get -field=password secret/data/prod/db)
echo "::add-mask::${DB_PASS}"
echo "DB_PASS=${DB_PASS}" >> "$GITHUB_ENV"In CI
Authenticate with vault login (ideally via a JWT/OIDC auth method, not a static token) before reading. Use -field to fetch exactly one value, mask it with ::add-mask:: before writing it to env, and never pass -format=json straight into logs where every field would be exposed.
Key takeaways
- vault kv get reads a secret; -field extracts a single value cleanly.
- Authenticate via vault login (OIDC/JWT) before reading in CI.
- Mask retrieved values with ::add-mask:: and keep them out of logs.