Are you an LLM? Read llms.txt for a summary of the docs, or llms-full.txt for the full context.
Skip to content

Secret Injection

The pwm use command runs programs with vault secrets injected as environment variables.

Why Use This?

  • No .env files on disk
  • No secrets in shell history
  • Ephemeral - secrets exist only during execution
  • Tag filtering - inject only what you need

Basic Usage

pwm use <vault> <command...>
 
# Example: run npm start with secrets
pwm use default npm start
 
# Example: run with production secrets
pwm use production tsx src/index.ts

How It Works

  1. Vault is unlocked (Touch ID or password)
  2. Login entries with passwords become env vars
  3. Entry names are converted to env var format
  4. Child process runs with secrets in environment
  5. Secrets are cleared when process exits

Name Conversion

Entry names are converted to valid environment variable names:

Entry NameEnvironment Variable
Database PasswordDATABASE_PASSWORD
api-keyAPI_KEY
AWS S3 BucketAWS_S3_BUCKET
GitHub TokenGITHUB_TOKEN

Examples

Run Development Server

# Inject all secrets from default vault
pwm use default npm run dev

Deploy to Production

# Use production vault
pwm use production npm run deploy

Filter by Tag

# Only inject AWS-related secrets
pwm use dev --tag aws npm run deploy
 
# Multiple tags
pwm use dev --tag aws --tag deploy ./deploy.sh

Filter by Key

# Only inject specific entries
pwm use default --keys db,redis npm start

Preview Mode

# Show what would be injected without running
pwm use default --dry-run echo "test"
 
# Output:
# Injecting 5 secrets:
#   DATABASE_PASSWORD=••••••••
#   API_KEY=••••••••
#   AWS_ACCESS_KEY=••••••••
#   AWS_SECRET_KEY=••••••••
#   REDIS_URL=••••••••
#
# Would run: echo "test"

Show Injected Variables

# Show variable names (values hidden)
pwm use default --show-env npm start
 
# Output:
# Injecting 5 secrets:
#   DATABASE_PASSWORD=••••••••
#   API_KEY=••••••••
#   AWS_ACCESS_KEY=••••••••
# Running: npm start

Add Prefix

# Prefix all variable names
pwm use default --prefix SECRET_ npm start
 
# Result: SECRET_DATABASE_PASSWORD, SECRET_API_KEY, etc.

No Uppercase

# Keep original case
pwm use default --no-uppercase npm start
 
# Result: database_password instead of DATABASE_PASSWORD

CI/CD Integration

GitHub Actions

- name: Deploy with secrets
  run: |
    pwm auth login ${{ secrets.PWM_EMAIL }}
    pwm use production npm run deploy

Shell Scripts

#!/bin/bash
# deploy.sh
 
# Run with production secrets
pwm use production ./scripts/deploy-internal.sh

Docker

# Inject secrets into container
pwm use production docker run -e DATABASE_PASSWORD myapp

Security Notes

  1. Secrets are ephemeral - Only exist in child process memory
  2. Not in shell history - Command args don't contain secrets
  3. Process isolation - Other processes can't access the env
  4. Clipboard safe - Nothing copied to clipboard

Command Reference

pwm use <vault> <command...>
 
Options:
  -k, --keys <keys>    Only inject specific entries (comma-separated)
  -t, --tag <tag>      Only inject entries with this tag
  --prefix <prefix>    Add prefix to env var names
  --no-uppercase       Don't convert names to uppercase
  --show-env           Show injected variables
  --dry-run            Preview without running
  -h, --help           Show help

Only Login Entries

Only login entries with passwords are injected. Other entry types (notes, cards, identities) are not included.

To use card numbers or other data, export to a file:

pwm entry export --type card --format json > cards.json