Skip to content
Latchkey

vault kv get Command Reference

Read a secret from the Vault KV secrets engine.

vault kv get retrieves a secret from a KV v1 or v2 mount. In CI you authenticate first, then read a specific field to inject into a deploy without echoing it to logs.

What it does

vault kv get fetches the data stored at a KV path along with metadata (version, timestamps for KV v2). With -field it prints just one value, which is the form pipelines use to pull a single credential.

Common flags and usage

  • -field=KEY: print only the value of one field
  • -format=json: emit the full response as JSON
  • -version=N: read a specific version (KV v2)
  • -mount=PATH: specify the KV mount explicitly
  • requires VAULT_ADDR and a valid token in the environment

Example

shell
- name: Read database password
  env:
    VAULT_ADDR: https://vault.internal:8200
  run: |
    DB_PASS=$(vault kv get -field=password secret/data/prod/db)
    echo "::add-mask::${DB_PASS}"
    echo "DB_PASS=${DB_PASS}" >> "$GITHUB_ENV"

In CI

Authenticate with vault login (ideally via a JWT/OIDC auth method, not a static token) before reading. Use -field to fetch exactly one value, mask it with ::add-mask:: before writing it to env, and never pass -format=json straight into logs where every field would be exposed.

Key takeaways

  • vault kv get reads a secret; -field extracts a single value cleanly.
  • Authenticate via vault login (OIDC/JWT) before reading in CI.
  • Mask retrieved values with ::add-mask:: and keep them out of logs.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →