atmos secret validate

Validate that every required declared secret for a stack and component is initialized in its configured backend. The command exits 0 when all required secrets are present and exits non-zero (1) when any required secret is missing, making it well suited for CI pipelines and pre-deployment gates.

atmos secret validate --help

Usage

atmos secret validate [flags]

Examples

# Validate that all required secrets are initialized
atmos secret validate --stack=prod --component=api

# Disambiguate a component that exists in multiple types
atmos secret validate --stack=prod --component=api --type=terraform

# Validate using a specific identity for the backend
atmos secret validate --stack=prod --component=api --identity=aws/prod-secrets

# Use the non-zero exit code as a CI gate
atmos secret validate --stack=prod --component=api && echo "all secrets present"

Arguments

n/a

No positional arguments.

Flags

--stack (alias -s)

The Atmos stack to operate on. Required.

Environment variable: ATMOS_STACK

--component (alias -c)

The Atmos component whose required secrets are validated. Required.

Environment variable: ATMOS_COMPONENT

--type

The component type (terraform, helmfile, packer, or ansible). Used to disambiguate when a component name exists in more than one type.

--identity (alias -i)

The identity to use when accessing the secret backend.

Environment variable: ATMOS_IDENTITY

Exit codes

validate exits 0 when every required secret is initialized and exits 1 when one or more required secrets are missing. Optional (non-required) secrets do not affect the exit code.

See Also

• atmos secret — Overview of the secret command group
• !secret YAML function — Resolve declared secrets at runtime