Creating & Viewing Secrets
Setting Secrets
keep set creates or updates secrets in your vaults.
Command Reference: keep set
| Option | Type | Default | Description |
|---|---|---|---|
--stage | string | interactive | Target stage (local, staging, production) |
--vault | string | default vault | Vault to store the secret in |
--secure | boolean | true | Whether to encrypt the secret (always true for AWS vaults) |
--force | boolean | false | Overwrite existing secrets without confirmation |
Arguments:
[key]- Secret key name (prompted if not provided)[value]- Secret value (prompted if not provided)
Examples:
bash
# Interactive mode
keep set
# Basic usage
keep set DB_PASSWORD "my-secret" --stage=local
# Force overwrite
keep set API_KEY "new-value" --stage=production --force
# Specific vault
keep set STRIPE_KEY "sk_live_..." --stage=production --vault=secretsmanagerGetting Secrets
keep get retrieves a specific secret from a vault.
Command Reference: keep get
| Option | Type | Default | Description |
|---|---|---|---|
--stage | string | interactive | Source stage to retrieve from |
--vault | string | default vault | Vault to retrieve the secret from |
--format | string | table | Output format: table, json, raw |
Arguments:
[key]- Secret key name (prompted if not provided)
Examples:
bash
# Interactive mode
keep get
# Basic retrieval
keep get API_KEY --stage=local
# JSON output
keep get STRIPE_KEY --stage=production --format=json
# Raw format from specific vault
keep get CONFIG_JSON --stage=staging --vault=ssm --format=rawListing Secrets
keep show shows all secrets from a vault and stage.
Command Reference: keep show
| Option | Type | Default | Description |
|---|---|---|---|
--stage | string | interactive | Stage to list secrets from |
--vault | string | default vault | Vault to list secrets from |
--unmask | boolean | false | Show actual secret values instead of masked |
--format | string | table | Output format: table, json, env |
--only | string | Comma-separated list of keys to include | |
--except | string | Comma-separated list of keys to exclude |
Examples:
bash
# Basic listing
keep show --stage=local
# Show actual values
keep show --stage=production --unmask
# Filter keys
keep show --stage=production --only="API_*,MAIL_*"
keep show --stage=local --except="DB_*,STRIPE_*"
# Different formats
keep show --stage=staging --format=json
keep show --stage=production --vault=secretsmanager --format=envDeleting Secrets
keep delete removes secrets from vaults.
Command Reference: keep delete
| Option | Type | Default | Description |
|---|---|---|---|
--stage | string | interactive | Stage to delete secret from |
--vault | string | default vault | Vault to delete the secret from |
--force | boolean | false | Delete without confirmation prompt |
Arguments:
[key]- Secret key name (prompted if not provided)
Examples:
bash
# Interactive mode
keep delete
# Basic deletion
keep delete OLD_CONFIG --stage=local
# Force deletion
keep delete TEMP_KEY --stage=staging --force
# Specific vault
keep delete LEGACY_SECRET --stage=production --vault=ssmBest Practices
Naming Conventions
- Use
UPPER_CASEwith underscores - Include purpose:
DB_PASSWORD,API_KEY,STRIPE_SECRET - Stick to letters, numbers, underscores, and hyphens
Security
- Never log unmasked values
- Use
--unmasksparingly - Verify stage before production changes
- Be careful with
--force
Common Workflows
bash
# Local development workflow
keep set DB_PASSWORD "dev-password" --stage=local
keep export --stage=local --file=.env.local
keep show --stage=local
# Production workflow (be careful!)
keep show --stage=production # Verify stage first
keep set DB_PASSWORD "prod-password" --stage=production
keep export --stage=production --file=.env.production