nkapp secrets

Manage project secrets and Vault integration from the CLI.

nkapp secrets <subcommand> [options]

Subcommands

secrets list

List all secrets defined for an environment.

nkapp secrets list [-e <env>]

Displays both global secrets (from root secrets: block) and environment-specific secrets (from environments.<env>.secrets).

secrets pull

Pull resolved secrets into local .env files. This is the bridge between remote secret management and local development.

nkapp secrets pull [-e <env>]

What it does:

1. Loads the full configuration and resolves all vault:// URIs
2. Collects secrets from:
   • Global secrets: block
   • Environment-specific secrets: block
   • All service env: blocks in the target environment
3. Merges resolved values into the appropriate .env file
4. Sorts keys alphabetically for readability

Output file mapping:

secrets set <key=value>

Set a secret in nanokit.yml. The value can be a plain string or a vault:// URI.

nkapp secrets set <key=value> [-e <env>]

# Set a global secret
nkapp secrets set DB_PASSWORD=vault://secret/data/db_password
 
# Set an environment-specific secret
nkapp secrets set STRIPE_KEY=sk_live_xxx -e production

Examples

# List all secrets for staging
nkapp secrets list -e stage
 
# Pull all resolved secrets for local development
nkapp secrets pull
 
# Set a vault reference
nkapp secrets set API_TOKEN=vault://api/token -e production

[!IMPORTANT] secrets pull writes resolved plain-text values to .env files. These files should be in your .gitignore to prevent accidental commits.

[!NOTE] Real Connectivity: To pull secrets from a live cluster, ensure VAULT_ADDR and VAULT_TOKEN are set in your environment. If missing, the command will pull data from the local mock provider.