atmos secret pull

Download the initialized declared secrets for a stack and component to a local .env or JSON file. This is intended to make secret values available to local development tooling. Values are written to the target file in cleartext, so the output is for local development only — never commit it or share it.

atmos secret pull --help

Usage

atmos secret pull [flags]

Examples

# Print secrets to stdout in env format
atmos secret pull --stack=prod --component=api

# Write secrets to a local .env file
atmos secret pull --stack=prod --component=api --output=.env

# Write secrets as JSON
atmos secret pull --stack=prod --component=api --format=json --output=secrets.json

# Pull using a specific identity for the backend
atmos secret pull --stack=prod --component=api --identity=aws/prod-secrets

Arguments

n/a

No positional arguments.

Flags

--stack (alias -s)

The Atmos stack to operate on. Required.

Environment variable: ATMOS_STACK

--component (alias -c)

The Atmos component whose declared secrets are downloaded. Required.

Environment variable: ATMOS_COMPONENT

--type

The component type (terraform, helmfile, packer, or ansible). Used to disambiguate when a component name exists in more than one type.

--identity (alias -i)

The identity to use when accessing the secret backend.

Environment variable: ATMOS_IDENTITY

--output (alias -o)

The output file to write secrets to. Defaults to standard output.

--format

The output format: env or json. Defaults to env.

Local development only

pull writes secret values in cleartext to the target file. Use it only for local development, and never commit the resulting file to version control.

See Also

• atmos secret — Overview of the secret command group
• !secret YAML function — Resolve declared secrets at runtime