nais · jhrv · Jan 30, 2026 · Jan 29, 2026
diff --git a/internal/naisapi/auth/localhost.go b/internal/naisapi/auth/localhost.go
@@ -2,6 +2,7 @@ package auth
 
 import (
 	"context"
+	"fmt"
 	"net/http"
 	"os"
 
@@ -30,6 +31,11 @@ func Localhost() (*LocalhostUser, bool) {
 	}, true
 }
 
+// APIURL overrides the parent method to use HTTP instead of HTTPS for local development
+func (l *LocalhostUser) APIURL() string {
+	return fmt.Sprintf("http://%s/graphql", l.ConsoleHost())
+}
+
 func (l *LocalhostUser) HTTPClient(_ context.Context) *http.Client {
 	return &http.Client{
 		Transport: l.RoundTripper(http.DefaultTransport),

diff --git a/internal/naisapi/elevation.go b/internal/naisapi/elevation.go
diff --git a/internal/naisapi/gql/generated.go b/internal/naisapi/gql/generated.go
diff --git a/internal/naisapi/secret.go b/internal/naisapi/secret.go
@@ -0,0 +1,54 @@
+package naisapi
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/nais/cli/internal/naisapi/gql"
+)
+
+// SecretValue represents a key-value pair from a secret
+type SecretValue struct {
+	Name  string
+	Value string
+}
+
+// ViewSecretValues retrieves the values of a secret. This requires team membership
+// and a reason for access. The access is logged for auditing purposes.
+func ViewSecretValues(ctx context.Context, team, environmentName, secretName, reason string) ([]SecretValue, error) {
+	_ = `# @genqlient
+mutation ViewSecretValues($input: ViewSecretValuesInput!) {
+viewSecretValues(input: $input) {
+values {
+name
+value
+}
+}
+}
+`
+
+	client, err := GraphqlClient(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("creating GraphQL client: %w", err)
+	}
+
+	resp, err := gql.ViewSecretValues(ctx, client, gql.ViewSecretValuesInput{
+		Name:        secretName,
+		Environment: environmentName,
+		Team:        team,
+		Reason:      reason,
+	})
+	if err != nil {
+		return nil, fmt.Errorf("viewing secret values: %w", err)
+	}
+
+	values := make([]SecretValue, len(resp.ViewSecretValues.Values))
+	for i, v := range resp.ViewSecretValues.Values {
+		values[i] = SecretValue{
+			Name:  v.Name,
+			Value: v.Value,
+		}
+	}
+
+	return values, nil
+}
diff --git a/internal/postgres/access.go b/internal/postgres/access.go
@@ -35,8 +35,8 @@ var (
 )
 
 func PrepareAccess(ctx context.Context, appName string, namespace flag.Namespace, cluster flag.Context, schema string, allPrivs bool, out *naistrix.OutputWriter) error {
-	// Ensure we have elevated access to read the database secret (hardcoded reason for administrative operation)
-	if err := EnsureSecretAccess(ctx, appName, namespace, cluster, ReasonPrepareAccess, out); err != nil {
+	// Get secret values (access is logged for audit purposes)
+	if _, err := GetSecretValues(ctx, appName, namespace, cluster, ReasonPrepareAccess, out); err != nil {
 		return err
 	}
 
@@ -55,8 +55,8 @@ func PrepareAccess(ctx context.Context, appName string, namespace flag.Namespace
 }
 
 func RevokeAccess(ctx context.Context, appName string, namespace flag.Namespace, cluster flag.Context, schema string, out *naistrix.OutputWriter) error {
-	// Ensure we have elevated access to read the database secret (hardcoded reason for administrative operation)
-	if err := EnsureSecretAccess(ctx, appName, namespace, cluster, ReasonRevokeAccess, out); err != nil {
+	// Get secret values (access is logged for audit purposes)
+	if _, err := GetSecretValues(ctx, appName, namespace, cluster, ReasonRevokeAccess, out); err != nil {
 		return err
 	}