Command secrets
Automax supports env, file, command, vault, aws_secrets_manager, azure_key_vault, gcp_secret_manager and onepassword secret providers.
Use provider: command when a local helper can print a secret to stdout, for
example a password-store wrapper, an internal credential helper or a local
hardware-token integration.
secrets:
deploy_token:
provider: command
command: ["pass", "show", "prod/automax/deploy-token"]
timeout: 10
The command must:
- run on the controller host;
- exit with code
0; - print the secret value to stdout;
- avoid printing sensitive diagnostics to stderr.
By default, the stdout value is stripped:
secrets:
raw_value:
provider: command
command: ["./scripts/read-secret"]
strip: false
Safe command form
Prefer list form. It does not use a shell:
command: ["pass", "show", "prod/automax/token"]
String form is split without a shell by default:
command: "pass show prod/automax/token"
Use shell: true only for trusted local commands that require shell features:
secrets:
token:
provider: command
command: "pass show prod/automax/token | head -n1"
shell: true
Do not combine shell: true with untrusted variables.
Relative working directory
cwd is resolved relative to the secrets YAML file:
secrets:
token:
provider: command
command: ["./get-token.sh"]
cwd: helpers
Masking
Resolved secrets are masked before stdout, stderr, messages, structured result data and artifacts are persisted to the run state. Command provider errors do not include captured stdout or stderr to avoid leaking secret material.
External secret managers
External secret manager providers run the vendor CLI on the Automax controller. They do not add Python SDK dependencies and do not persist resolved values. The CLI must already be installed and authenticated by the operator or runtime identity before Automax runs.
HashiCorp Vault:
secrets:
deploy_token:
provider: vault
path: secret/prod/app
field: deploy_token
AWS Secrets Manager:
secrets:
db_password:
provider: aws_secrets_manager
secret_id: prod/db
json_key: password
region: eu-west-1
Azure Key Vault:
secrets:
api_token:
provider: azure_key_vault
vault_name: prod-vault
secret_name: automax-api-token
GCP Secret Manager:
secrets:
api_token:
provider: gcp_secret_manager
project: prod-project
secret: automax-api-token
version: latest
1Password:
secrets:
deploy_token:
provider: onepassword
reference: op://Production/Automax/deploy-token
Each provider accepts timeout and strip. Providers that return structured
JSON can use json_key where documented, for example AWS Secrets Manager.
Use command or binary only when the vendor CLI binary is installed under a
non-standard name or path.