- Notifications
You must be signed in to change notification settings - Fork1
Automatically load secrets from your preferred vault as environment variables or files, and clear them once your shell command is over.
License
zifeo/lade
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
Lade (/leɪd/) is a tool allowing you to automatically load secrets from yourpreferred vault into environment variables or files. It limits the exposure ofsecrets to the time the command requiring the secrets lives.
Lade is part of theMetatype ecosystem. Considerchecking out how this component integrates with the whole ecosystem and browsethedocumentationto see more examples.
You can download the binary executable fromreleases page on GitHub, make itexecutable and add it to your$PATH or use the method below to automate thosesteps.
# recommended waycurl -fsSL https://raw.githubusercontent.com/zifeo/lade/main/installer.sh| bash# or alternative ways via cargocargo install lade --lockedcargo install --git https://github.com/zifeo/lade --locked# upgradelade upgrade# install shell hooks (only required once)lade install
Compatible shells:Fish,Bash,Zsh
Compatible vaults:Infisical,1Password CLI,Doppler,Vault
Lade will run before and after any command you run in your shell thanks tocommand hooks installed bylade install. On each run, it will recursively lookforlade.yml files in the current directory and its parents. It will thenaggregate any secrets matching the command you are running using a regex andload them into environment variables or files for the time of the run.
cd examples/terraformterraform apply# example = "hello world"
Seelade.yml or theexamples folders for other usescases.
In case you prefer to decide when to load secrets, you can manually decide whento inject them using theinject command. Note that when running scripts or anon-interactive shell session, there is no guarantee that the shell hooks willbe triggered. In that case, theinject command is the only way to loadsecrets.
cd examples/terraformlade inject terraform applyBy default, Lade will load secrets into environment variables. You can changethis by setting the. to the desired file name. The content will be createdbased on the extension. Currently, only YAML and JSON are supported.
command regex:.:file.yml...
Most of the vault loaders use their native CLI to operate. This means you musthave them installed locally and your login/credentials must be valid. Lade mayevolve by integrating directly with the corresponding API, but this is left asfuture work.
command regex:EXPORTED_ENV_VAR:infisical://DOMAIN/PROJECT_ID/ENV_NAME/SECRET_NAME
Frequent domain(s):app.infisical.com.
Note: the/api is automatically added to the DOMAIN. This source currentlyonly support a single domain (you cannot be logged into multiple ones).
command regex:EXPORTED_ENV_VAR:op://DOMAIN/VAULT_NAME/SECRET_NAME/FIELD_NAME
Frequent domain(s):my.1password.eu,my.1password.com ormy.1password.ca.
command regex:EXPORTED_ENV_VAR:doppler://DOMAIN/PROJECT_NAME/ENV_NAME/SECRET_NAME
Frequent domain(s):api.doppler.com.
command regex:EXPORTED_ENV_VAR:vault://DOMAIN/MOUNT/KEY/FIELD
command regex:EXPORTED_ENV_VAR:passbolt://DOMAIN/RESOURCE_ID/FIELD
Supports INI, JSON, YAML and TOML files.
command regex:EXPORTED_ENV_VAR:file://PATH?query=.fields[0].field
PATH can be relative to the lade directory, start with~/$HOME or absolute(not recommended when sharing the project with others as they likely havedifferent paths).
command regex:EXPORTED_ENV_VAR:"value"
Escaping a value with the! prefix enforces the use of the raw loader anddouble!! escapes itself.
eval"$(lade off)"eval"$(cargo run -- on)"echo a$A1$A2$B1$B2$B3$C1$C2$C3cargo run -- -vvvsetecho acargo run -- injectecho aeval"$(cargo run -- off)"eval"$(lade on)"
About
Automatically load secrets from your preferred vault as environment variables or files, and clear them once your shell command is over.