strackt docs
Browse docs

How To

Manage secrets from the CLI

List, set, remove, and round-trip your environment's secrets with the strackt CLI.

Manage secrets from the CLI

The strackt env:secrets commands let you manage your environment's secrets from the terminal — handy for scripting, CI, or just keeping your hands on the keyboard. They work on the same secrets you'd set in the dashboard, and changes take effect on the next deploy.

Every command needs an environment. Unlike most CLI commands, the secrets commands won't quietly assume production — you always pass --env (or --app), because writing a secret to the wrong environment is the kind of mistake worth a few extra keystrokes to avoid.

See what's set

strackt env:secrets:list --env stg

Values are masked by default. To see them in plain text:

strackt env:secrets:list --env stg --reveal

Revealing values needs a token with reveal access. If yours doesn't have it, you'll get a clear error instead of masked output.

Set or update a secret

strackt env:secrets:set --key DATABASE_URL --value "postgres://…" --env stg

To keep a secret out of your shell history, pipe it in instead of passing --value:

cat secret.txt | strackt env:secrets:set --key API_TOKEN --stdin --env stg

Keys must be uppercase letters, numbers, and underscores (e.g. STRIPE_SECRET_KEY). The CLI checks this before sending, so you get fast feedback on a typo.

Remove a secret

strackt env:secrets:unset --key DEPRECATED_FLAG --env stg

Round-trip a whole .env file

Pull every secret for an environment into a local .env:

strackt env:secrets:pull --env stg                  # writes .env in the current folder
strackt env:secrets:pull --env stg --output ./secrets.env
strackt env:secrets:pull --env stg --output -       # print to the screen instead

pull always writes real values (a masked file would be useless), so it needs reveal access. On Mac and Linux the file is written with owner-only permissions. Keys come out sorted, so pulling the same set twice gives you an identical file.

Push a file back up:

strackt env:secrets:push --file ./secrets.env --env stg

Add --prune to also remove any of your secrets that aren't in the file — so the environment ends up matching your file exactly:

strackt env:secrets:push --file ./secrets.env --prune --env stg

A push is all-or-nothing: if any line is invalid, nothing is written and your existing secrets are left untouched. There are no partial updates.

A couple of things to know

  • No variable expansion. A value like $OTHER is stored as the literal text $OTHER, not the value of another variable. Your secrets are stored exactly as written.
  • Comments aren't kept. Comments in a file you push aren't stored, so a later pull won't bring them back.
  • --prune only touches the secrets you set. Connection details that strackt manages for you are never removed by a push.

When you pipe a pulled file to the screen with --output -, the values are visible — keep that in mind in CI logs, and redact before storing anything.

Was this helpful?

Related docs

SSH into a server from the CLI Open a shell on a managed server with one command — no keys to install, no certificate flags to assemble. Edit your config template Write the .env template strackt uses to build the environment file your application reads at deploy time. Manage environment variables Set the environment variables and secrets your application reads at runtime.