Command: run

To inject secrets into environment variables, you can use the run command:

secrethub run [options] -- <command>

The run command runs a program and passes environment variables to it defined with --envar or --template flags. Anything that goes after the double dashes -- is passed onto the command you want to run.

An example of a simple command that prints environment variables looks like this:

$ DB_HOST="localhost:5432" secrethub run \
    -e DB_USER=john/repo/db_user \
    -e DB_PASSWORD=john/repo/db_password \
    -- printenv | grep DB

The following statement uses the --template flag and achieves the same result as the statement above:

$ cat env.yml
DB_USER: "${ john/repo/db_user }"
DB_PASSWORD: "${ john/repo/db_password }"
DB_HOST: "localhost:5432"
$ secrethub run --template env.yml -- printenv | grep DB

Environment variables are passed to the executed command with the following order of precedence, ranking the most important method first:

  1. Variables configured with the --envar flag.
  2. Variables configured in a template and loaded with the --template flag.
  3. Variables defined in the environment passed to the run command by the OS.


<command>] (string)
The command you want to run. This can be any command you would normally type into the command-line.


-e, --envar (string)
Source an environment variable from a secret at a given path with NAME=<path>. You can use multiple flags to set multiple variables.
--template (string)
The path to a .yml template file with environment variable mappings of the form NAME: value. Templates are automatically injected with secrets when passed to the run command. This allows you to define both hardcoded values and source values from SecretHub.