Skip to main content

atmos secret set

Set the value of a declared secret in its configured backend (create or update). The value can be supplied inline as NAME=VALUE, piped in with --stdin, or entered through an interactive masked prompt when the command runs in a terminal with no value provided. With no NAME (and no --stack/--component) in a terminal, Atmos walks you through choosing the stack, component, and secret. This command is also available under the add alias.

atmos secret set --help

Usage

atmos secret set [NAME[=VALUE]] [flags]

Setting a secret is scope-aware: a value set with --component is an instance override and is only allowed if that component declares the secret (otherwise it is a hard error — declare it under the component first, or omit --component to set the shared stack value). See Secret scopes.

Examples

# Walk through stack → component → secret → value interactively (terminal only)
atmos secret set

# Set a value inline
atmos secret set DATADOG_API_KEY=abc123 --stack=prod --component=api

# Set a value interactively with a masked prompt (terminal only)
atmos secret set DATADOG_API_KEY --stack=prod --component=api

# Read a multi-line value (such as a PEM key) from standard input
cat key.pem | atmos secret set GITHUB_APP_KEY --stdin --stack=prod --component=api

# Overwrite an existing value without confirmation
atmos secret set DATADOG_API_KEY=newvalue --stack=prod --component=api --force

# Use the `add` alias
atmos secret add DATADOG_API_KEY=abc123 --stack=prod --component=api

Arguments

NAME[=VALUE]

The name of the declared secret to set, optionally with an inline value. When =VALUE is omitted, the value is read from --stdin or from an interactive masked prompt.

Flags

--stack (alias -s)

The Atmos stack to operate on. Required — prompted interactively on a TTY when omitted.

Environment variable: ATMOS_STACK

--component (alias -c)

The Atmos component that declares the secret. Required for instance-scoped secrets — prompted interactively on a TTY when omitted.

Environment variable: ATMOS_COMPONENT

--type

The component type (terraform, helmfile, packer, or ansible). Used to disambiguate when a component name exists in more than one type.

--identity (alias -i)

The identity to use when accessing the secret backend.

Environment variable: ATMOS_IDENTITY

--stdin

Read the secret value from standard input. Useful for piping multi-line values such as certificates or private keys.

--force (alias -f)

Overwrite an existing value without prompting for confirmation.

See Also