# atmos secret exec

Resolve the declared secrets for a stack and component and run a command with them set as environment variables. Each environment variable is named after the secret's declaration name, verbatim — the same naming used by [`atmos secret pull`](/cli/commands/secret/pull). Use `--` to separate Atmos flags from the command and its arguments.

## Usage

```shell
atmos secret exec [flags] -- <command> [args...]
```

The resolved secrets are layered on top of the current environment (the OS environment plus any global `env` from `atmos.yaml`). A declared secret takes precedence over an inherited variable of the same name. Secrets that are not yet initialized in their backend are skipped with a warning, and the command still runs.

## Examples

```shell
# Run a command with the component's secrets in the environment
atmos secret exec --stack=dev --component=app -- env

# Run a deployment script that reads secrets from the environment
atmos secret exec --stack=prod --component=api -- ./deploy.sh

# Use a specific identity to access the secret backend
atmos secret exec --stack=prod --component=api --identity=aws/prod-secrets -- ./task.sh
```

## Arguments

- **`<command> [args...]`**
  The command (and its arguments) to run, specified after the 
  `--`
   separator. 
  **Required.**
   The command's exit code is propagated as the exit code of 
  `atmos secret exec`
  .

## Flags

- **`--stack` (alias `-s`)**

  The Atmos stack to operate on. **Required.**

  **Environment variable:** `ATMOS_STACK`
- **`--component` (alias `-c`)**

  The Atmos component whose declared secrets are injected. **Required.**

  **Environment variable:** `ATMOS_COMPONENT`
- **`--type`**

  The component type (`terraform`, `helmfile`, `packer`, or `ansible`). Used to disambiguate when a component name exists in more than one type.
- **`--identity` (alias `-i`)**

  The identity to use when accessing the secret backend.

  **Environment variable:** `ATMOS_IDENTITY`

:::warning Secrets are not masked in the child process
Secret values are written into the child process's environment in cleartext and are **not** masked in the command's output. Only use `secret exec` with commands you trust.
:::

## See Also

- [atmos secret shell](/cli/commands/secret/shell) — Launch an interactive shell with secrets in the environment
- [atmos secret pull](/cli/commands/secret/pull) — Download declared secrets to a local file
- [atmos secret](/cli/commands/secret/usage) — Overview of the secret command group
- [`!secret` YAML function](/functions/yaml/secret) — Resolve declared secrets at runtime