Command: run

To inject secrets into environment variables, you can use the run command:

secrethub run [options] -- <command>

The run command runs a program and passes environment variables to it defined with --envar or --template flags and secrets.yml files. Anything that goes after the double dashes -- is passed onto the command you want to run.

An example of a simple command that prints environment variables looks like this:

$ DB_HOST="localhost:5432" secrethub run \
    -e DB_USER=john/repo/db_user \
    -e DB_PASSWORD=john/repo/db_password \
    -- printenv | grep DB

The following statement uses the --template flag and achieves the same result as the statement above:

$ cat env.yml
DB_USER: "${ john/repo/db_user }"
DB_PASSWORD: "${ john/repo/db_password }"
DB_HOST: "localhost:5432"
$ secrethub run --template env.yml -- printenv | grep DB

Additionally, you can use a secrets.yml file with the set command prior to executing the run command and it will pass the variables defined in the secrets.yml file too.

Environment variables are passed to the executed command with the following order of precedence, ranking the most important method first:

  1. Variables configured with the --envar flag.
  2. Variables configured in a template and loaded with the --template flag.
  3. Variables configured in a secrets.yml file and loaded with the set command.
  4. Variables defined in the environment passed to the run command by the OS.


<command>] (string)
The command you want to run. This can be any command you would normally type into the command-line.


-e, --envar (string)
Source an environment variable from a secret at a given path with NAME=<path>. You can use multiple flags to set multiple variables.
--template (string)
The path to a .yml template file with environment variable mappings of the form NAME: value. Templates are automatically injected with secrets when passed to the run command. This allows you to define both hardcoded values and source values from SecretHub.
--env (string)
The name of the environment prepared by the set command (default is default)