atmos secret push

Upload secret values from a local .env or JSON file to the configured backend. Every key in the file must be declared for the stack and component — push fails on the first undeclared key and writes nothing. Use import instead if you want undeclared keys to be warned about and skipped rather than treated as a hard error.

atmos secret push --help

Usage

atmos secret push [flags]

Examples

# Push values from the default .env file
atmos secret push --stack=prod --component=api

# Push values from a specific file
atmos secret push --stack=prod --component=api --input=secrets.env

# Push values from a JSON file
atmos secret push --stack=prod --component=api --format=json --input=secrets.json

# Push values piped in from standard input
cat secrets.env | atmos secret push --stack=prod --component=api --input=-

Arguments

n/a

No positional arguments.

Flags

--stack (alias -s)

The Atmos stack to operate on. Required.

Environment variable: ATMOS_STACK

--component (alias -c)

The Atmos component whose declared secrets receive the values. Required.

Environment variable: ATMOS_COMPONENT

--type

The component type (terraform, helmfile, packer, or ansible). Used to disambiguate when a component name exists in more than one type.

--identity (alias -i)

The identity to use when accessing the secret backend.

Environment variable: ATMOS_IDENTITY

--input

The input file to read secret values from. Defaults to .env. Use - to read from standard input.

--format

The input format: env or json. Defaults to env.

Strict by design

Unlike import, push requires every key in the input file to be declared. It fails on the first undeclared key so that nothing unexpected is written to the backend.

See Also

• atmos secret — Overview of the secret command group
• !secret YAML function — Resolve declared secrets at runtime