Command: ennote secret

The secret command group provides commands for retrieving and injecting secrets from the Ennote platform. You can either print payloads to standard output or inject them directly into the environment variables of a child process.

Overview

View the available commands within the secret group:

bash

ennote secret

Available Commands:
  get         Retrieve a secret and print it, or inject it into a child process

Fetching & Injecting (ennote secret get)

bash

ennote secret get <secret-query> [-- <command>] [flags]

Secret Query Formats

<name>:Fetches the latest version of the secret.
<name>@<version>:Fetches a specific historical version.
<name>:<key>:Fetches the latest version, targets specific key (outputs raw unescaped string).
<name>@<version>:<key>:Fetches a specific version, targets specific key.

Override Flags

You can pass specific flags to override your current active configuration for a single command execution:

--organization-id:Target Organization ID (Overrides local config and environment variables).
--workspace-id:Target Workspace ID (Overrides local config and environment variables).

Outputting Data (Stdout)

bash

# Print the entire payload to console
ennote secret get "stripe"

# Print a specific version and target a specific key
ennote secret get "database@5:password"

# Extract a specific key for bash scripts
export DB_PASS=$(ennote secret get "database:password")

Process Injection (The Core Use-Case)

Instead of piping variables or writing .env files, Ennote securely injects secrets directly into the memory space of a child process.

bash

# Inject all keys from the 'stripe' secret into a Node server
ennote secret get "stripe" -- npm run dev

# Inject keys into the AWS CLI
ennote secret get "aws" -- aws s3 ls

# Inject keys using explicit organization and workspace overrides
ennote secret get "aws" --workspace-id my-wrk-id --organization-id my-org-id -- aws s3 ls

Security Note:

The CLI performs strict $PATH resolution (exec.LookPath) before executing the child command to prevent PATH-hijacking attacks. Secrets are injected into the standard OS execution environment (cmd.Env) and are isolated to that specific process tree.

JSON Type Handling & Serialization

When injecting secrets into child processes, Ennote automatically serializes complex nested JSON objects (e.g., Arrays or nested maps) back into standard JSON strings.

Primitive values (strings, booleans, floats) are injected natively as strings to ensure compatibility with standard application parsers.

Need Help?

If you encounter any issues or have questions, don’t hesitate to contact support. Our team is here to assist you with any challenges you might face.