vault kv get: Read a KV Secret
vault kv get reads a secret from a KV engine, optionally extracting a single field for use in a script.
Fetching a secret at build time is the most common Vault CLI use. -field pulls one value out cleanly so you can assign it to an environment variable without parsing.
What it does
vault kv get retrieves the secret at a path from a KV v2 mount. By default it prints all fields in a table; -field=<name> prints just that value, and -format=json emits structured output. -version reads an older version of the secret.
Common usage
vault kv get secret/ci/deploy
# extract one field for a variable (no trailing newline noise)
TOKEN=$(vault kv get -field=token secret/ci/deploy)
# JSON for jq
vault kv get -format=json secret/ci/deploy | jq -r .data.data.tokenOptions
| Flag | What it does |
|---|---|
| -field <name> | Print only the value of this field |
| -format=json | Output JSON instead of a table |
| -mount <path> | KV mount path (alternative to the path prefix) |
| -version <n> | Read a specific secret version |
In CI
Use -field to assign a value directly to an env var without jq. Mind the KV version: on KV v2 the data sits under .data.data in JSON, and the read path may differ from the mount you write to (data/ is implicit for the kv command).
Common errors in CI
"No value found at secret/ci/deploy" usually means a KV v2 mount is being read with a v1 path or the wrong field; check the mount version. "permission denied" means the token's policy lacks read on that path. "Field \"token\" not present in secret" means -field names a key that does not exist. "* missing client token" means you have not run vault login.