diff --git a/.woodpecker/db.yml b/.woodpecker/db.yml
index e3bcc9a..172b959 100644
--- a/.woodpecker/db.yml
+++ b/.woodpecker/db.yml
@@ -20,7 +20,7 @@ steps:
       VAULT_ROLE_ID:     { from_secret: VAULT_APP_ROLE }
       VAULT_SECRET_ID:   { from_secret: VAULT_SECRET_ID }
     commands:
-      - apk add --no-cache curl bash coreutils sed
+      - apk add --no-cache curl bash coreutils sed python3
       - mkdir -p secrets
       # fetch registry creds
       - ./ci/vlt kv_to_file kv registry user secrets/REGISTRY_USER 600
diff --git a/ci/vlt b/ci/vlt
index 19718e4..4891673 100755
--- a/ci/vlt
+++ b/ci/vlt
@@ -36,9 +36,18 @@ kv_get() {
   ensure_token
   url="${VAULT_ADDR%/}/v1/${mount}/data/${path}"
   resp="$(curl -sfS --connect-timeout 5 --max-time 20 -H "X-Vault-Token: ${VAULT_TOKEN}" "$url")"
-  raw="$(printf '%s' "$resp" | sed -n "s/.*\"${field}\"[[:space:]]*:[[:space:]]*\"\([^\"]*\)\".*/\1/p")"
-  [ -n "$raw" ] || { echo "field not found: ${mount}/${path}:${field}" >&2; exit 2; }
-  printf '%s' "$raw" | sed -e 's/\\n/\n/g' -e 's/\\t/\t/g' -e 's/\\"/"/g' -e 's/\\\\/\\/g'
+  RESP="$resp" python3 - "$field" <<'PY'
+import json, os, sys
+field = sys.argv[1]
+resp = os.environ.get("RESP", "")
+try:
+    data = json.loads(resp)
+    value = data["data"]["data"][field]
+except (KeyError, TypeError, json.JSONDecodeError):
+    print(f"field not found or invalid JSON", file=sys.stderr)
+    sys.exit(2)
+sys.stdout.write(value)
+PY
 }
 
 # kv_to_file <mount> <path> <field> <dest> [mode]