atmos secret delete
Remove a declared secret's value from its configured backend. Atmos prompts for confirmation before deleting unless you pass --force. The secret declaration in your stack configuration is not modified — only the stored value is removed. Pass --all to clear every declared secret for the scope (a clean, in-process reset of a SOPS file). This command is also available under the rm alias.
Usage
atmos secret delete NAME [flags]
atmos secret delete --all [flags]
Examples
# Delete a secret value, prompting for confirmation
atmos secret delete DATADOG_API_KEY --stack=prod --component=api
# Delete without a confirmation prompt
atmos secret delete DATADOG_API_KEY --stack=prod --component=api --force
# Clear ALL declared secrets for the scope (resets a SOPS file to a clean state)
atmos secret delete --all --force --stack=prod --component=api
# Use the `rm` alias
atmos secret rm DATADOG_API_KEY --stack=prod --component=api
# Delete using a specific identity for the backend
atmos secret delete DATADOG_API_KEY --stack=prod --component=api --identity=aws/prod-secrets
Arguments
NAMEThe name of the declared secret whose value is removed.
Flags
--stack(alias-s)The Atmos stack to operate on. Required.
Environment variable:
ATMOS_STACK--component(alias-c)The Atmos component that declares the secret. Required.
Environment variable:
ATMOS_COMPONENT--typeThe component type (
terraform,helmfile,packer, oransible). Used to disambiguate when a component name exists in more than one type.--identity(alias-i)The identity to use when accessing the secret backend.
Environment variable:
ATMOS_IDENTITY--force(alias-f)Delete the value without prompting for confirmation.
--allDelete every declared secret's value for the scope instead of a single
NAME. For a SOPS file this resets it to a clean state in-process. TheNAMEargument is omitted when--allis used.
See Also
- atmos secret — Overview of the secret command group
!secretYAML function — Resolve declared secrets at runtime
