A command-line tool that injects secrets into your application's environment variables from secure storage backends.
# 1. Run your app with secret injection
export DB_PASSWORD="secretinit:aws:sm:myapp/db-creds:::password"
secretinit myapp
# 2. Get a single secret value
secretinit --stdout "gcp:sm:my-project/api-key"
# 3. Multi-credential expansion + mapping (git store can be used for any URL)
export API="secretinit:git:https://api.example.com"
secretinit -m "DATABASE_USER=API_USER,DATABASE_PASS=API_PASS" myapp
# 4. Use .env file
echo 'API_TOKEN=secretinit:azure:kv:my-vault/api-token' > .env
secretinit myappInstead of hardcoding secrets, you use placeholder strings that tell secretinit where to find the real values:
# Before: Hardcoded secret π
export API_KEY="sk-1234567890abcdef"
myapp
# After: Secret reference π
export API_KEY="secretinit:aws:sm:myapp/api-key"
secretinit myappsecretinit fetches the real secret and launches your app with the actual value.
Download the latest release from GitHub Releases:
# Download the appropriate binary for your platform:
# - secretinit_linux_amd64.tar.gz (full version)
# - secretinit-git_linux_amd64.tar.gz (git-only, smallest)
# - secretinit-aws_linux_amd64.tar.gz (git + AWS)
# - secretinit-gcp_linux_amd64.tar.gz (git + GCP)
# - secretinit-azure_linux_amd64.tar.gz (git + Azure)
# Linux/macOS example:
curl -L https://github.com/liifi/secretinit/releases/latest/download/secretinit_linux_amd64.tar.gz | tar xz
sudo mv secretinit /usr/local/bin/
# Windows (Scoop)
scoop install secretinit
# Cross-platform (Pixi - modern package manager)
pixi add secretinitCheck Repology for the latest packaging status across distributions.
go install github.com/liifi/secretinit/cmd/secretinit@latestChoose the minimal build for your use case:
| Build | Size | Backends | Use Case |
|---|---|---|---|
secretinit |
26MB | Git + AWS + GCP + Azure | All cloud providers |
secretinit-git |
14MB | Git only | Simple credential storage |
secretinit-aws |
23MB | Git + AWS | AWS environments |
secretinit-gcp |
16MB | Git + GCP | Google Cloud environments |
secretinit-azure |
16MB | Git + Azure | Azure environments |
backend:service:resource[:::key_path]
- backend:
git,aws,gcp,azure - service:
sm(Secrets Manager),ps(Parameter Store),kv(Key Vault) - resource: Secret name/path/URL
- key_path: Optional - extract specific field from JSON secrets
| Backend | Service | Example |
|---|---|---|
| Git | Any URL | git:https://api.example.com:::password |
| AWS | Secrets Manager | aws:sm:myapp/db-creds:::password |
| AWS | Parameter Store | aws:ps:/myapp/config:::database.host |
| GCP | Secret Manager | gcp:sm:my-project/api-key |
| Azure | Key Vault | azure:kv:my-vault/app-secret:::username |
Run your application with secret injection:
# Single secret
export API_KEY="secretinit:aws:sm:myapp/api-key"
secretinit myapp
# Multiple secrets
export DB_USER="secretinit:git:https://db.example.com:::username"
export DB_PASS="secretinit:git:https://db.example.com:::password"
secretinit myapp
# Multi-credential mode (creates API_URL, API_USER, API_PASS)
export API="secretinit:git:https://api.example.com"
secretinit myapp
# Map auto-created variables to what your app expects
export API="secretinit:git:https://api.example.com"
secretinit -m "DB_HOST=API_URL,DB_USER=API_USER,DB_PASS=API_PASS" myappGet one secret value to stdout:
# Get password for scripting
PASSWORD=$(secretinit --stdout "aws:sm:myapp/db:::password")
# Git backend defaults to password when no key_path specified
curl -u "user:$(secretinit -o git:https://api.example.com)" https://api.example.comCopy secret values to additional variables or rename auto-expanded variables:
# Git multi-credential expansion creates API_USER, API_PASS
# Map them to what your legacy app expects
export API="secretinit:git:https://api.example.com"
secretinit -m "DATABASE_USERNAME=API_USER,DATABASE_PASSWORD=API_PASS" myapp
# Copy one secret to multiple variable names
export SECRET="secretinit:aws:sm:myapp/token"
secretinit -m "API_TOKEN=SECRET,AUTH_KEY=SECRET,ACCESS_TOKEN=SECRET" myapp
# Environment variable mappings
SECRETINIT_MAPPINGS="DATABASE_USERNAME=API_USER,DATABASE_PASSWORD=API_PASS" secretinit myappThe git backend uses your OS's secure credential storage:
# Store credentials for any service (not just Git!)
secretinit --store --url https://api.example.com --user myuser
# Configure credential helper (one-time setup)
git config --global credential.helper manager # Recommended for all platforms- Install Git and configure a credential helper
- For AWS: Configure AWS credentials (
aws configureor IAM roles) - For GCP: Set up Application Default Credentials (
gcloud auth application-default login) - For Azure: Configure Azure CLI (
az login) or use managed identity - Store some credentials:
secretinit --store --url https://api.example.com --user myuser
- Test it:
export API_KEY="secretinit:git:https://api.example.com:::password" secretinit echo "API_KEY=\$API_KEY"
SECRETINIT_MAPPINGS: Set variable mappings (TARGET=SOURCE,TARGET2=SOURCE2)SECRETINIT_LOG_LEVEL: Set toDEBUGfor detailed logging
secretinit automatically loads environment variables from a .env file in the current directory:
# .env file
API_TOKEN=secretinit:git:https://api.example.com:::password
DB_USER=secretinit:git:https://db.example.com:::username
DB_PASS=secretinit:git:https://db.example.com:::password
# Project-specific mappings
SECRETINIT_MAPPINGS=DATABASE_USERNAME=DB_USER,DATABASE_PASSWORD=DB_PASS- Default: Automatically loads
.envfrom current directory - Custom file:
secretinit -e prod.env myapp - Disable loading:
secretinit -n myapp - Precedence:
.env file variablesoverridesystem environment variables
- macOS/Linux/Windows:
git config --global credential.helper manager - Legacy options:
osxkeychain(macOS),wincred(Windows),cache(Linux)
Use Linux credential helpers in WSL rather than Windows GCM to avoid hanging issues.
For more examples and advanced usage, run secretinit --help.