Manage Secrets

The app-config component needs two secrets: a third-party API_KEY and a structured DB_CONFIG (JSON) containing database credentials. Atmos manages these with a dedicated secrets workflow that keeps them out of your stack YAML and — importantly — out of the .tfvars files written to disk.

In this tutorial the secret backends are the same emulated SSM Parameter Store and Secrets Manager running in your local sandbox, so you can practice the full secrets workflow with no cloud account.

Declare the secret stores

Secrets are stored in stores marked secret: true. The example declares two of them in atmos.yaml, both authenticating to the sandbox via the local-aws identity:

atmos.yaml

stores:
  secrets/ssm:
    kind: aws/ssm           # AWS SSM Parameter Store (SecureString)
    identity: local-aws
    secret: true
    options:
      region: us-east-1
      prefix: /atmos/quickstart/secrets
  secrets/asm:
    kind: aws/asm           # AWS Secrets Manager
    identity: local-aws
    secret: true
    options:
      region: us-east-1
      prefix: /atmos/quickstart/secrets

Declare the secrets on the component

A component declares which secrets it consumes in its secrets.vars section. Each entry names the backing store and whether it's required. The app-config catalog declares both secrets:

stacks/catalog/app-config/defaults.yaml

components:
  terraform:
    app-config:
      secrets:
        vars:
          API_KEY:
            description: "Third-party API key for the application."
            store: secrets/ssm
            required: true
          DB_CONFIG:
            description: "Structured database credentials (JSON) stored in Secrets Manager."
            store: secrets/asm
            required: true

store: Which declared store holds this secret. API_KEY lives in the emulated SSM Parameter Store (secrets/ssm); DB_CONFIG lives in the emulated Secrets Manager (secrets/asm).
required: When true, Atmos fails fast if the secret has no value before the component is provisioned, rather than passing an empty value to Terraform.
scope: Optional. When set to scope: global, a secret is shared across every stack that uses the same store and declaration, instead of being scoped to a single stack+component. The two secrets in this tutorial use the default (per-stack) scope, but scope: global is useful for credentials that are identical everywhere (for example, a shared read-only token).

Set secret values

In an interactive terminal, run atmos secret and let Atmos guide you through the required secrets for app-config:

atmos secret -s plat-ue2-dev -c app-config

You can also set each secret explicitly with atmos secret set. The simplest invocation supplies the value inline as NAME=VALUE:

atmos secret set API_KEY=sk-quickstart-example -s plat-ue2-dev -c app-config
atmos secret set 'DB_CONFIG={"username":"app","password":"s3cr3t"}' -s plat-ue2-dev -c app-config

--stack / -s: The stack the secret belongs to (e.g. plat-ue2-dev).
--component / -c: The component whose declaration the secret belongs to (e.g. app-config).

tip

atmos secret set can also read the value from standard input with --stdin, or prompt for the value interactively (masked) when you run it without supplying NAME=VALUE. See atmos secret set.

Import secrets from a file

To seed many secrets at once — for example from a local .env file — use atmos secret import. Each key is routed to the backend declared for it:

atmos secret import .env -s plat-ue2-dev -c app-config

Add --dry-run to preview what would be written without changing any backend.

List secrets

atmos secret list shows the declared secrets and whether each has a value, without decrypting or printing the values:

atmos secret list -s plat-ue2-dev -c app-config

Consume secrets in the stack

Components consume secrets with the !secret YAML function. For the structured secret, you can extract a single field with a path expression:

stacks/catalog/app-config/defaults.yaml

components:
  terraform:
    app-config:
      vars:
        api_key: !secret API_KEY
        db_password: !secret DB_CONFIG | path ".password"

Secrets never touch disk

This is the key property of the workflow: secret values are delivered to Terraform as TF_VAR_* environment variables, not written into the generated .tfvars file. So api_key arrives as TF_VAR_api_key and db_password as TF_VAR_db_password. The Terraform variables that receive them are declared sensitive = true. This means a secret never lands in a plaintext file in the component directory, even though the rest of the component's variables do.

tip

For the full command reference, see the atmos secret command group.

Next: catch mistakes before they reach Terraform → Validate Configurations →

quick-start-advanced

Manage Secrets

View full example

README.md

README.md3.8 KB

Source

Atmos Quick Start (Advanced)

Atmos is a universal tool for DevOps and cloud automation. This advanced example provisions a small AWS application stack — entirely offline — against a local AWS emulator (Floci), so you can learn the patterns end to end without a real AWS account or any credentials.

Follow the Quick Start: Advanced guide for a step-by-step walkthrough of this repository.

It's just plain Terraform

The components in components/terraform/ are vanilla Terraform — raw aws_* resources using only the official hashicorp/aws provider. There are no Cloud Posse modules and no special wrappers. Atmos is a bring-your-own-Terraform orchestrator: it never requires you to rewrite your Terraform or adopt proprietary components. Each component carries only a stock providers.tf (provider "aws" { region = var.region }) with no endpoint or credentials configuration — the local-aws identity (kind: aws/emulator) generates a providers_override.tf.json that points the provider at the emulator at runtime, so the exact same code deploys unchanged against real AWS.

Component	What it is (plain Terraform)
`kms-key`	`aws_kms_key` + alias
`s3-bucket`	`aws_s3_bucket` (+ versioning, SSE)
`dynamodb-table`	`aws_dynamodb_table`
`sns-topic`	`aws_sns_topic`
`sqs-queue`	`aws_sqs_queue` (+ policy)
`app-config`	publishes resolved config + secrets to SSM Parameter Store

The components are wired together with Atmos features — not Terraform remote_state data sources: stack templates build predictable coordinates, dependency metadata controls graph order, store hooks publish applied outputs, and !secret resolves declared secrets from the SSM/Secrets Manager stores.

Run it end to end

Everything runs against the local emulator. You need Atmos and a container runtime (Docker or Podman).

The test custom command brings up the emulator, seeds secrets, applies the full component DAG in dependency order, confirms the cross-component wiring resolves, then tears everything down:

atmos test -s plat-ue2-dev

Or run the same steps by hand:

# Start the local AWS emulator for the stack.
atmos emulator up aws -s plat-ue2-dev

# Lint every stack manifest.
atmos validate stacks

# Seed the required app-config secrets.
atmos secret set API_KEY=sk-quickstart-example -s plat-ue2-dev -c app-config
atmos secret set 'DB_CONFIG={"username":"app","password":"s3cr3t"}' -s plat-ue2-dev -c app-config

# Apply every component in dependency order (the S3 state backend is auto-provisioned
# inside the emulator via `provision.backend.enabled`).
atmos terraform deploy --all -s plat-ue2-dev

# Inspect a component and see where every value came from.
atmos describe component app-config -s plat-ue2-dev --provenance
atmos list instances --format tree --provenance --identity=false --process-functions=false --process-templates=false

# Tear down.
atmos terraform destroy --all -s plat-ue2-dev -auto-approve
atmos emulator down aws -s plat-ue2-dev

Available stacks: plat-ue2-{dev,staging,prod} (us-east-2) and plat-uw2-{dev,staging,prod} (us-west-2).

Operator commands

This example also registers operator-focused custom commands in atmos.yaml:

atmos operator status -s <stack>                  # show stack tree, instances, catalog, and next commands
atmos operator inspect <component> -s <stack>     # describe component config with provenance

For the full CLI configuration and command reference, see Atmos CLI.

Declare the secret stores​

Declare the secrets on the component​

Set secret values​

Import secrets from a file​

List secrets​

Consume secrets in the stack​

Secrets never touch disk​