ContextQMD
Back to Infisical

infisical export

docs/cli/commands/export.mdx

0.161.97.5 KB
Original Source
bash
infisical export [options]

Description

Export environment variables from the platform into a file format. By default, output is sent to stdout (standard output), but you can use the --output-file flag to save directly to a file.

Subcommands & flags

<Accordion title="infisical export" defaultOpen="true"> Use this command to export environment variables from the platform into a raw file formats
bash
$ infisical export

# Export variables to a .env file
infisical export > .env
infisical export --output-file=./.env

# Export variables to a .env file (with export keyword)
infisical export --format=dotenv-export > .env
infisical export --format=dotenv-export --output-file=./.env

# Export variables for shell eval/source (POSIX shell-quoted, safe for eval)
eval "$(infisical export --format=dotenv-eval)"
infisical export --format=dotenv-eval --output-file=./.env

# Export variables to a JSON file
infisical export --format=json > secrets.json
infisical export --format=json --output-file=./secrets.json

# Export variables to a YAML file
infisical export --format=yaml > secrets.yaml
infisical export --format=yaml --output-file=./secrets.yaml

# Render secrets using a custom template file
infisical export --template=<path to template>

Environment variables

<Accordion title="INFISICAL_TOKEN"> Used to fetch secrets via a [machine identities](/documentation/platform/identities/machine-identities) apposed to logged in credentials. Simply, export this variable in the terminal before running this command. 
```bash
# Example
export INFISICAL_TOKEN=$(infisical login --method=universal-auth --client-id=<identity-client-id> --client-secret=<identity-client-secret> --silent --plain) # --plain flag will output only the token, so it can be fed to an environment variable. --silent will disable any update messages.
```
<Info> Alternatively, you may use service tokens. 
```bash
# Example
export INFISICAL_TOKEN=<service-token>
```
</Info> </Accordion> <Accordion title="INFISICAL_DISABLE_UPDATE_CHECK"> Used to disable the check for new CLI versions. This can improve the time it takes to run this command. Recommended for production environments. 
To use, simply export this variable in the terminal before running this command.

```bash
# Example
export INFISICAL_DISABLE_UPDATE_CHECK=true
```
</Accordion>

flags

<Accordion title="--output-file"> The path to write the output file to. Can be a full file path, directory, or filename. 
```bash
# Export to specific file
infisical export --format=json --output-file=./secrets.json

# Export to directory (uses default filename based on format)
infisical export --format=yaml --output-file=./
```

**When `--output-file` is specified:**
- Secrets are saved directly to the specified file
- A success message is displayed showing the file path
- For directories: adds default filename `secrets.{format}` (e.g., `secrets.json`, `secrets.yaml`)
- For dotenv formats in directories: uses `.env` as the filename

**When `--output-file` is NOT specified (default behavior):**
- Output is sent to stdout (standard output)
- You can use shell redirection like `infisical export > secrets.json`
- Maintains backwards compatibility with existing scripts

<Warning>
  If you're using shell redirection and your token expires, re-authentication will fail because the prompt can't display properly due to the redirection.
</Warning>
</Accordion> <Accordion title="--template"> The `--template` flag specifies the path to the Go template file used for rendering secrets. When using templates, you can omit the other format flags. 
	```text my-template-file
{{$secrets := secret "<infisical-project-id>" "<environment-slug>" "<folder-path>"}}
{{$length := len $secrets}}
{{- "{"}}
{{- with $secrets }}
  {{- range $index, $secret := . }}
    "{{ $secret.Key }}": "{{ $secret.Value }}"{{if lt $index (minus $length 1)}},{{end}}
  {{- end }}
{{- end }}
{{ "}" -}}
	```

```bash
# Example
infisical export --template="/path/to/template/file"
```

<Tip>
  The Infisical CLI templating engine also supports Sprig library templating functions to help you transform your secrets further.
  You can read more about the available functions [here](/integrations/platforms/kubernetes/overview#available-helper-functions).
</Tip>
</Accordion> <Accordion title="--env"> Used to set the environment that secrets are pulled from. 
```bash
# Example
infisical export --env=prod
```

Note: this flag only accepts environment slug names not the fully qualified name. To view the slug name of an environment, visit the project settings page.

default value: `dev`
</Accordion> <Accordion title="--projectId"> By default the project id is retrieved from the `.infisical.json` located at the root of your local project. This flag allows you to override this behavior by explicitly defining the project to fetch your secrets from. 
```bash
# Example

infisical export --projectId=XXXXXXXXXXXXXX
```
</Accordion> <Accordion title="--expand"> Parse shell parameter expansions in your secrets (e.g., `${DOMAIN}`) 
Default value: `true`
</Accordion> <Accordion title="--include-imports"> By default imported secrets are available, you can disable it by setting this option to false. 
Default value: `true`
</Accordion> <Accordion title="--format"> Format of the output file. Accepted values: `dotenv`, `dotenv-export`, `dotenv-eval`, `csv`, `json` and `yaml` 
Default value: `dotenv`

The `dotenv-eval` format emits each secret as an `export KEY='value'` statement with values POSIX shell-quoted (wrapped in single quotes, with embedded single quotes escaped). This makes the output safe to load directly into your current shell via `eval`/`source`, regardless of the value's contents (newlines, single quotes, `$`, `"`, `\`, and other shell metacharacters are preserved verbatim).

```bash
# Load secrets into the current shell session
eval "$(infisical export --format=dotenv-eval)"
```

```bash
# Example output
export DATABASE_URL='postgres://user:pass@localhost:5432/db'
export API_KEY='it'\''s a secret'
```

<Warning>
  The POSIX single-quoting only escapes secret **values**. Secret **names** (keys) are emitted as-is and are not escaped, so `eval`/`source` is only safe when every secret name is a valid shell identifier (letters, digits, and underscores, not starting with a digit). Avoid running `eval`/`source` on this format if your secret names may contain shell metacharacters.
</Warning>
</Accordion> <Accordion title="--secret-overriding"> Prioritizes personal secrets with the same name over shared secrets 
Default value: `true`
</Accordion> <Accordion title="--path"> The `--path` flag indicates which project folder secrets will be injected from. 
```bash
# Example
infisical export --path="/path/to/folder" --env=dev
```
</Accordion> <Accordion title="--tags"> When working with tags, you can use this flag to filter and retrieve only secrets that are associated with a specific tag(s). 
```bash
# Example
infisical export --tags=tag1,tag2,tag3 --env=dev
```

Note: you must reference the tag by its slug name not its fully qualified name. Go to project settings to view all tag slugs.

By default, all secrets are fetched
</Accordion> </Accordion>