Secrets are often loaded into applications as fields in config files. For instance, many projects contain an example.config file like this:

    host: localhost
    port: 5432
    username: "<INSERT_USERNAME_HERE>"
    password: "<INSERT_PASSWORD_HERE>"

To avoid manually editing these files to input the correct credentials for each environment, SecretHub allows you to write them as template files and inject secrets on the fly:

    host: localhost
    port: 5432
    username: "{{ company/repo/$env/db/user }}"
    password: "{{ company/repo/$env/db/password }}"

Read more about the template syntax here.

Human instructions have been turned into machine-readable code. Also, did you notice how there are no secrets in the template file? The template can be safely checked into source control an shared with team members.

To inject a template with secrets, you can use the inject command:

secrethub inject [options] 

This reads template from stdin, gets all secrets contained in the template from SecretHub, injects them into the template and writes it to stdout.

For example, when you run the inject command on the template above it looks something like this:

$ cat example.config.tpl
    host: localhost
    port: 5432
    username: "{{ company/repo/${env}/db-user }}"
    password: "{{ company/repo/${env}/db-password }}"
$ cat example.config.tpl | secrethub inject --var env=dev
    host: localhost
    port: 5432
    username: "api-server-dev-1"
    password: "Lt2DMXglD93RMRbRu6vue0"

The convention is to name template files exactly the same as their injected counterparts, with an additional .tpl file extension. So a file example.config is generated by a template called example.config.tpl.

Depending on your use case, you may want to direct the output of the inject command. You can redirect the output to either a file with the --file flag or the clipboard with the --clip flag.

Note that currently only UTF-8 encoded text is supported as input.


-c, --clip (string)
Write the service account configuration to the clipboard instead of stdout. The clipboard is automatically cleared after 45 seconds.
-i, --in-file (string)
The filename of a template file to inject.
-o, --out-file (string)
Write the service account configuration to a file instead of stdout.
Set filemode for the output file if it does not yet exist. Defaults to 0600 (read and write for current user) and is ignored without the –out-file flag.
The template syntax version to be used. The options are v1, v2, latest or auto to automatically detect the version. Defaults to auto.
-v, --var (string)
Define the value for a template variable with VAR=VALUE, e.g. --var env=prd You can use multiple flags to set multiple variables.