Building on this Azure Key Vault Environment Variable Not Showing in Power Automate Flow, I have the same problem, and the answer that has been provided isn't a solution in my scenario.
In a Power Automate flow I'm sending Graph API requests to an Azure tenant, different from the one to which the Power Automate platform is connected. Before I can send any Graph requests, I need to obtain a token via client credentials, which requires a client id and secret. I want to read the secret securely from an Azure Key vault, instead of placing it in a plain text variable. I linked the Azure Key vault to an environment variable in the Power platform solution by providing the subscription details, after giving Dataverse and the Power platform service principals "Key Vault Secrets User" RBAC permissions in the key vault.
The documentation https://learn.microsoft.com/en-us/power-apps/maker/data-platform/environmentvariables-azure-key-vault-secrets#create-a-power-automate-flow-to-test-the-environment-variable-secret says that we need to create a Dataverse unbound action to read the secret from the key vault. What it doesn't say is that to create an unbound action you first need to authenticate to Dataverse. The authentication to Dataverse can be either based on the signed-in user, or on a service principal (via client credentials). I don't want to bind the flow to my account (or anyone else's account), and I don't want to use client credentials, because I'd have to write another secret in plain text (which would defeat the purpose of using the key vault).
The whole point of using the key vault was so that I could use a secret securely, but it doesn't look like Power Automate is able to use Managed Identity. From what I've read (and it's extremely confusing), Power Automate doesn't support managed identity. Dataverse does. However, to use Dataverse, you need to authenticate first, which defeats the purpose.
So, I have an environment variable which correctly references a key vault secret, but I'm unable to use it in the flow, unless I specify another plain text secret to connect to the key vault.
If someone has managed to find a way around this, please let me know.
For the benefit of anyone else who has stumbled upon this, a straightforward solution which doesn't involve Dataverse is:
Create a service principal (app registration) in Entra id on the Azure tenant that contains the key vault. This should be the same tenant that contains the Power Platform environment.
Assign Key Vault Secret Reader permissions to the corresponding service principal (enterprise app) via the IAM settings of the key vault.
Insert a Azure Key Vault step in the cloud flow with the "Get secret" action and "Service principal authentication". Enter client id, secret, tenant. The secrets should be listed if the connection is correct.
Go to the Azure Key Vault step options and switch on the"Secure outputs" toggle
Add a step after the Azure Key Vault step which uses the secret from the previous step.
No environment variable is needed for the secret, and no connection to Dataverse. The client secret specified for the service principal used to access the key vault is not visible. The connection to the key vault can be modified in the future to rotate the secret with no impact to the solution.