why can't I see keyvault secrets in portal, but can access them programmatically

The access

This is the service principal keyvault access policy:

Service Principal:

Service admin / Portal user:

Why can't I see the secrets, although I can access them programmatically?

The access policy

I'm assuming you are using SPN to access the keyvault programmatically and using user credential to view the secrets from the portal?

From the snapshots, I can see that the keyvault is set to Access policy authorization model. This means the roles on RBAC will not affect the reading/writing of contents of the Keyvault.
You need to assign an access policy to the user or SPN to allow this.

I can see that there is an access policy for your SPN which is why you can read the keyvault contents programmatically using this SPN. However, the user only has a service administrator RBAC role. But since Access policies don't allow RBAC roles to access the contents, you cannot see the keyvault contents on the portal.

Keyvault has 2 authorization models, RBAC and Access policies. You can read more about them here. Access policy is the older model and doesn't allow granular access to a single key/secret. RBAC is the newer model launched in 2021 which allows you to set roles at the individual entity level to segregate access to each key, secret.

> From your last screenshot, I observed that you created access policy only for service principal that allows it to access secrets programmatically.

To fix your issue, you need to create new access policy by selecting your user account under Principal tab like below:

Make sure to assign list secret permissions to your user account and click on Create like below:

After creating access policy, the user account will appear under USER like below:

When I signed in with that user account, I'm able to access secrets successfully like below:

Alternatively, you can switch permission model to Azure role-based access control if you prefer to accessing with RBAC roles like below: