ContextQMD
Back to Infisical

infisical secrets

docs/cli/commands/secrets.mdx

0.159.2510.0 KB
Original Source
infisical secrets

Description

This command enables you to perform CRUD (create, read, update, delete) operations on secrets within your Infisical project. With it, you can view, create, update, and delete secrets in your environment.

Sub-commands

<Accordion title="infisical secrets" defaultOpen="true"> Use this command to print out all of the secrets in your project
bash
$ infisical secrets

Environment variables

<Accordion title="INFISICAL_TOKEN"> Used to fetch secrets via a [machine identity](/documentation/platform/identities/machine-identities) apposed to logged in credentials. Simply, export this variable in the terminal before running this command. 
```bash
# Example
export INFISICAL_TOKEN=$(infisical login --method=universal-auth --client-id=<identity-client-id> --client-secret=<identity-client-secret> --silent --plain) # --plain flag will output only the token, so it can be fed to an environment variable. --silent will disable any update messages.
```

<Info>
  Alternatively, you may use service tokens.

  ```bash
  # Example
  export INFISICAL_TOKEN=<service-token>
  ```
</Info>
</Accordion> <Accordion title="INFISICAL_DISABLE_UPDATE_CHECK"> Used to disable the check for new CLI versions. This can improve the time it takes to run this command. Recommended for production environments. 
To use, simply export this variable in the terminal before running this command.

```bash
# Example
export INFISICAL_DISABLE_UPDATE_CHECK=true
```
</Accordion>

Flags

<Accordion title="--expand"> Parse shell parameter expansions in your secrets 
Default value: `true`
</Accordion> <Accordion title="--projectId"> The project ID to fetch secrets from. This is required when using a machine identity to authenticate. 
```bash
# Example
infisical secrets --projectId=<project-id>
```
</Accordion> <Accordion title="--env"> Used to select the environment name on which actions should be taken on 
Default value: `dev`
</Accordion> <Accordion title="--path"> The `--path` flag indicates which project folder secrets will be injected from. 
```bash
# Example
infisical secrets --path="/" --env=dev
```
</Accordion> <Accordion title="--plain"> The `--plain` flag will output all your secret values without formatting, one per line. 
```bash
# Example
infisical secrets --plain --silent
```
</Accordion> <Accordion title="--silent"> The `--silent` flag disables output of tip/info messages. Useful when running in scripts or CI/CD pipelines. 
```bash
# Example
infisical secrets --silent
```

Can be used inline to replace `INFISICAL_DISABLE_UPDATE_CHECK`
</Accordion> </Accordion> <Accordion title="infisical secrets get"> This command allows you selectively print the requested secrets by name
bash
$ infisical secrets get <secret-name-a> <secret-name-b> ...

# Example
$ infisical secrets get DOMAIN
$ infisical secrets get DOMAIN PORT

Flags

<Accordion title="--env"> Used to select the environment name on which actions should be taken on 
Default value: `dev`
</Accordion> <Accordion title="--plain"> The `--plain` flag will output all your requested secret values without formatting, one per line. 
Default value: `false`

```bash
# Example
infisical secrets get FOO --plain
infisical secrets get FOO BAR --plain

# Fetch a single value and assign it to a variable
API_KEY=$(infisical secrets get FOO --plain --silent)
```

<Tip>
  When running in CI/CD environments or in a script, set `INFISICAL_DISABLE_UPDATE_CHECK=true` or add the `--silent` flag. This will help hide any CLI info/debug output and only show the secret value.
</Tip>
</Accordion> <Accordion title="--silent"> The `--silent` flag disables output of tip/info messages. Useful when running in scripts or CI/CD pipelines. 
```bash
# Example
infisical secrets get FOO --plain --silent
```

Can be used inline to replace `INFISICAL_DISABLE_UPDATE_CHECK`
</Accordion> <Accordion title="--raw-value (deprecated)"> Use `--plain` instead, as it supports single and multiple secrets. 
Used to print the plain value of a single requested secret without any table style.

Default value: `false`

Example: `infisical secrets get DOMAIN --raw-value`

<Tip>
  When running in CI/CD environments or in a script, set `INFISICAL_DISABLE_UPDATE_CHECK=true` or add the `--silent` flag. This will help hide any CLI info/debug output and only show the secret value.
</Tip>
</Accordion> </Accordion> <Accordion title="infisical secrets set"> This command allows you to set or update secrets in your environment. If the secret key provided already exists, its value will be updated with the new value. If the secret key does not exist, a new secret will be created using both the key and value provided.
bash
$ infisical secrets set <key1=value1> <key2=value2> <key3=@/path/to/file>...

## Example
$ infisical secrets set STRIPE_API_KEY=sjdgwkeudyjwe DOMAIN=example.com HASH=jebhfbwe [email protected]
<Tip> When setting secret values: - Use `secretName=@path/to/file` to load the secret value from a file - Use `secretName=\@value` if you need the literal '@' character at the beginning of your value 
Example:

```bash
# Set a secret with the value loaded from a certificate file
$ secrets set CERTIFICATE=@/path/to/certificate.pem

# Set a secret with the literal value "@example.com"
$ secrets set email="\@example.com"
```
</Tip>

Flags

<Accordion title="--env"> Used to select the environment name on which actions should be taken on 
Default value: `dev`
</Accordion> <Accordion title="--path"> Used to select the project folder in which the secrets will be set. This is useful when creating new secrets under a particular path. 
```bash
# Example
infisical secrets set DOMAIN=example.com --path="common/backend"
```
</Accordion> <Accordion title="--type"> Used to select the type of secret to create. This could be either personal or shared (defaults to shared) 
```bash
# Example
infisical secrets set DOMAIN=example.com --type=personal
```
</Accordion> <Accordion title="--file"> Used to set secrets from a file, supporting both `.env` and `YAML` formats. The file path can be either absolute or relative to the current working directory. 
The file should contain secrets in the following formats:
- `key=value` for `.env` files
- `key: value` for YAML files

Comments can be written using `# comment` or `// comment`. Empty lines will be ignored during processing.


```bash
# Example
infisical secrets set --file="./.env"
```
</Accordion> </Accordion> <Accordion title="infisical secrets delete"> This command allows you to delete secrets by their name(s).
bash
$ infisical secrets delete <keyName1> <keyName2>...

## Example
$ infisical secrets delete STRIPE_API_KEY DOMAIN HASH

Flags

<Accordion title="--env"> Used to select the environment name on which actions should be taken on 
Default value: `dev`
</Accordion> <Accordion title="--path"> The `--path` flag indicates which project folder secrets will be injected from. 
```bash
# Example
infisical secrets delete <keyName1> <keyName2>... --path="/"
```
</Accordion> </Accordion> <Accordion title="infisical secrets folders"> This command allows you to fetch, create and delete folders from within a path from a given project.
bash
$ infisical secrets folders

sub commands

<Accordion title="get"> Used to fetch all folders within a path in a given project ``` infisical secrets folders get --path=/some/path/to/folder ``` #### Flags <Accordion title="--path"> The path from where folders should be fetched from 
  Default value: `/`
</Accordion>

<Accordion title="--token">
  Fetch folders using a [machine identity](/documentation/platform/identities/machine-identities) access token.

  Default value: ``
</Accordion>
</Accordion> <Accordion title="create"> Used to create a folder by name within a path. ``` infisical secrets folders create --path=/some/path/to/folder --name=folder-name ``` ### Flags <Accordion title="--path"> Path to where the folder should be created 
  Default value: `/`
</Accordion>

<Accordion title="--name">
  Name of the folder to be created in selected `--path`

  Default value: ``
</Accordion>
</Accordion> <Accordion title="delete"> Used to delete a folder by name within a path. ``` infisical secrets folders delete --path=/some/path/to/folder --name=folder-name ``` ### Flags <Accordion title="--path"> Path to where the folder should be created 
  Default value: `/`
</Accordion>

<Accordion title="--name">
  Name of the folder to be deleted within selected `--path`

  Default value: ``
</Accordion>
</Accordion> </Accordion> <Accordion title="infisical secrets generate-example-env"> This command allows you to generate an example .env file from your secrets and with their associated comments and tags. This is useful when you would like to let others who work on the project but do not use Infisical become aware of the required environment variables and their intended values.

To place default values in your example .env file, you can simply include the syntax DEFAULT:<value> within your secret's comment in Infisical. This will result in the specified value being extracted and utilized as the default.

bash
$ infisical secrets generate-example-env

## Example
$ infisical secrets generate-example-env > .example-env

Flags

<Accordion title="--env"> Used to select the environment name on which actions should be taken on 
Default value: `dev`
</Accordion> </Accordion>