Skip to content
Latchkey

vault kv get: Read a KV Secret

vault kv get reads a secret from a KV engine, optionally extracting a single field for use in a script.

Fetching a secret at build time is the most common Vault CLI use. -field pulls one value out cleanly so you can assign it to an environment variable without parsing.

What it does

vault kv get retrieves the secret at a path from a KV v2 mount. By default it prints all fields in a table; -field=<name> prints just that value, and -format=json emits structured output. -version reads an older version of the secret.

Common usage

Terminal
vault kv get secret/ci/deploy
# extract one field for a variable (no trailing newline noise)
TOKEN=$(vault kv get -field=token secret/ci/deploy)
# JSON for jq
vault kv get -format=json secret/ci/deploy | jq -r .data.data.token

Options

FlagWhat it does
-field <name>Print only the value of this field
-format=jsonOutput JSON instead of a table
-mount <path>KV mount path (alternative to the path prefix)
-version <n>Read a specific secret version

In CI

Use -field to assign a value directly to an env var without jq. Mind the KV version: on KV v2 the data sits under .data.data in JSON, and the read path may differ from the mount you write to (data/ is implicit for the kv command).

Common errors in CI

"No value found at secret/ci/deploy" usually means a KV v2 mount is being read with a v1 path or the wrong field; check the mount version. "permission denied" means the token's policy lacks read on that path. "Field \"token\" not present in secret" means -field names a key that does not exist. "* missing client token" means you have not run vault login.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →