Skip to main content

atmos secret init

Walk the declared secrets for a stack and interactively initialize or rotate them. With --stack alone, the whole stack is provisioned: stack-scoped secrets once each plus every instance's instance-scoped secrets. With --component, only that instance is provisioned. Missing secrets are prompted with masked input; already-initialized secrets prompt to update (rotate) or skip — making init an easy way to rotate secrets manually. --force rotates them all without asking.

atmos secret init --help

Usage

atmos secret init [flags]

--stack is required (prompted on a TTY when omitted); --component is optional — omit it to provision the entire stack. See Secret scopes.

Examples

# Provision the whole stack (stack-scoped secrets + every instance's instance-scoped secrets)
atmos secret init --stack=prod

# Provision just one instance, prompting for each missing secret
atmos secret init --stack=prod --component=api

# Re-prompt for and overwrite secrets that are already initialized
atmos secret init --stack=prod --component=api --force

# Preview what would be initialized without prompting or writing
atmos secret init --stack=prod --component=api --dry-run

# Disambiguate a component that exists in multiple types
atmos secret init --stack=prod --component=api --type=terraform

# Provision using a specific identity for the backend
atmos secret init --stack=prod --component=api --identity=aws/prod-secrets

Arguments

n/a
No positional arguments.

Flags

--stack (alias -s)

The Atmos stack to operate on. Required.

Environment variable: ATMOS_STACK

--component (alias -c)

The Atmos component whose declared secrets are provisioned. Required.

Environment variable: ATMOS_COMPONENT

--type

The component type (terraform, helmfile, packer, or ansible). Used to disambiguate when a component name exists in more than one type.

--identity (alias -i)

The identity to use when accessing the secret backend.

Environment variable: ATMOS_IDENTITY

--force (alias -f)

Re-prompt for and overwrite secrets that are already initialized. Without this flag, already-initialized secrets are skipped.

--dry-run

Show which secrets would be initialized without prompting for values or writing anything to the backend.

See Also