Skip to main content

atmos secret exec

Resolve the declared secrets for a stack and component and run a command with them set as environment variables. Each environment variable is named after the secret's declaration name, verbatim — the same naming used by atmos secret pull. Use -- to separate Atmos flags from the command and its arguments.

atmos secret exec --help

Usage

atmos secret exec [flags] -- <command> [args...]

The resolved secrets are layered on top of the current environment (the OS environment plus any global env from atmos.yaml). A declared secret takes precedence over an inherited variable of the same name. Secrets that are not yet initialized in their backend are skipped with a warning, and the command still runs.

Examples

# Run a command with the component's secrets in the environment
atmos secret exec --stack=dev --component=app -- env

# Run a deployment script that reads secrets from the environment
atmos secret exec --stack=prod --component=api -- ./deploy.sh

# Use a specific identity to access the secret backend
atmos secret exec --stack=prod --component=api --identity=aws/prod-secrets -- ./task.sh

Arguments

<command> [args...]
The command (and its arguments) to run, specified after the -- separator. Required. The command's exit code is propagated as the exit code of atmos secret exec.

Flags

--stack (alias -s)

The Atmos stack to operate on. Required.

Environment variable: ATMOS_STACK

--component (alias -c)

The Atmos component whose declared secrets are injected. Required.

Environment variable: ATMOS_COMPONENT

--type

The component type (terraform, helmfile, packer, or ansible). Used to disambiguate when a component name exists in more than one type.

--identity (alias -i)

The identity to use when accessing the secret backend.

Environment variable: ATMOS_IDENTITY

Secrets are not masked in the child process

Secret values are written into the child process's environment in cleartext and are not masked in the command's output. Only use secret exec with commands you trust.

See Also