Skip to content

Command secrets

Automax supports env, file, command, vault, aws_secrets_manager, azure_key_vault, gcp_secret_manager and onepassword secret providers.

Use provider: command when a local helper can print a secret to stdout, for example a password-store wrapper, an internal credential helper or a local hardware-token integration.

secrets:
  deploy_token:
    provider: command
    command: ["pass", "show", "prod/automax/deploy-token"]
    timeout: 10

The command must:

  • run on the controller host;
  • exit with code 0;
  • print the secret value to stdout;
  • avoid printing sensitive diagnostics to stderr.

By default, the stdout value is stripped:

secrets:
  raw_value:
    provider: command
    command: ["./scripts/read-secret"]
    strip: false

Safe command form

Prefer list form. It does not use a shell:

command: ["pass", "show", "prod/automax/token"]

String form is split without a shell by default:

command: "pass show prod/automax/token"

Use shell: true only for trusted local commands that require shell features:

secrets:
  token:
    provider: command
    command: "pass show prod/automax/token | head -n1"
    shell: true

Do not combine shell: true with untrusted variables.

Relative working directory

cwd is resolved relative to the secrets YAML file:

secrets:
  token:
    provider: command
    command: ["./get-token.sh"]
    cwd: helpers

Masking

Resolved secrets are masked before stdout, stderr, messages, structured result data and artifacts are persisted to the run state. Command provider errors do not include captured stdout or stderr to avoid leaking secret material.

External secret managers

External secret manager providers run the vendor CLI on the Automax controller. They do not add Python SDK dependencies and do not persist resolved values. The CLI must already be installed and authenticated by the operator or runtime identity before Automax runs.

HashiCorp Vault:

secrets:
  deploy_token:
    provider: vault
    path: secret/prod/app
    field: deploy_token

AWS Secrets Manager:

secrets:
  db_password:
    provider: aws_secrets_manager
    secret_id: prod/db
    json_key: password
    region: eu-west-1

Azure Key Vault:

secrets:
  api_token:
    provider: azure_key_vault
    vault_name: prod-vault
    secret_name: automax-api-token

GCP Secret Manager:

secrets:
  api_token:
    provider: gcp_secret_manager
    project: prod-project
    secret: automax-api-token
    version: latest

1Password:

secrets:
  deploy_token:
    provider: onepassword
    reference: op://Production/Automax/deploy-token

Each provider accepts timeout and strip. Providers that return structured JSON can use json_key where documented, for example AWS Secrets Manager. Use command or binary only when the vendor CLI binary is installed under a non-standard name or path.