Template Syntax (v2)

The CLI allows you to inject secrets into templates with the inject and run commands. This page describes how the template syntax parser works.

To inject secret values into static configuration code, template syntax uses secret tags: {{ path/to/secret }}. Secret tags can be used freely in any file and contain a reference to a secret, instead of the actual secret value:

DB_USER      = prd-user
DB_PASSWORD  = {{ company/repo/prd/db/password:latest }}

Secret tags are replaced with their corresponding secret value:

DB_USER     = prd-user
DB_PASSWORD = f7tK9vs3We

This means you’ll never have to place plaintext secrets in configuration code again and only inject them the moment they are needed: at runtime.


To make your life even easier, template syntax also supports variable tags: $var and ${var}. Variable tags can be used freely in a template, including inside a secret tag:

DB_USER     = $env-user
DB_PASSWORD = {{ company/repo/$env/db/password:latest }}

To define variables from the command-line, you can use the --var KEY=VALUE flag. Alternatively, you can let the CLI source template variables from environment variables prefixed with SECRETHUB_VAR_<var_name>, e.g. SECRETHUB_VAR_key=value

Variable names are case insensitive, can only contain letters, numbers, and underscores and cannot start with a number.

Syntax Rules

The parsing engine currently supports the following rules:

  • A secret template can contain references to secrets in secret tags. A secret tag is enclosed in double brackets: {{ path/to/secret }}.
  • A secret template can contain references to variables in variable tags: $var. A variable tag closes when a character is enountered that is not a letter, number or underscore. A variable tag can also be enclosed between ${ and }: ${var}.
  • Secret tags and variable tags can contain leading and trailing spaces, i.e. {{ path/to/secret }} is parsed the same as {{path/to/secret}}.
  • Secret tags can also contain variable tags: {{ path/with/$var/to/secret }}
  • Variable tags cannot contain secret tags.
  • Secret tags cannot contain secret tags, i.e. they cannot be nested.
  • Variable tags cannot contain variable tags, i.e. they cannot be nested.
  • Occurences of ${ or {{ that are not the start of a secret or variable tag should be escaped with a \: \${ and \{{.

Migrating from v1 to v2 syntax

Template syntax v1 has been deprecated and will be removed in a future CLI version. We recommend migrating your templates to v2.

To migrate your v1 templates to v2, simply replace all ${ and } enclosed secret tags with {{ }}, e.g. changing ${ path/to/secret } into {{ path/to/secret }}.