run
Run a command with all secrets from an environment injected as environment variables. This is the recommended way to use secrets in development and scripts.
zopp run [OPTIONS] [--] <COMMAND>...
Arguments
| Argument | Required | Description |
|---|---|---|
COMMAND... | Yes | Command and arguments to run |
Options
| Option | Required | Description |
|---|---|---|
-w, --workspace <WORKSPACE> | No | Workspace name (defaults from zopp.toml) |
-p, --project <PROJECT> | No | Project name (defaults from zopp.toml) |
-e, --environment <ENVIRONMENT> | No | Environment name (defaults from zopp.toml) |
-h, --help | No | Print help |
How It Works
- Fetches all secrets from the specified environment
- Decrypts them client-side
- Injects them as environment variables
- Executes your command with those variables
- Secrets are never written to disk
Examples
Basic Usage
# Run npm start with secrets injected
zopp run -- npm start
# Run a Python script
zopp run -- python app.py
# Run with explicit environment
zopp run -e production -- ./deploy.sh
With zopp.toml
Create a zopp.toml in your project:
[defaults]
workspace = "mycompany"
project = "backend"
environment = "development"
Then simply run:
zopp run -- npm start
Verify Secrets Are Injected
# Print a specific secret
zopp run -- printenv DATABASE_URL
# List all environment variables
zopp run -- env | grep -E "^(DATABASE|API|SECRET)"
Docker Integration
# Run a container with secrets
zopp run -- docker run -e DATABASE_URL -e API_KEY myapp:latest
Shell Commands
Use -- to separate zopp options from the command:
# Run a shell command
zopp run -- sh -c 'echo "DB is $DATABASE_URL"'
# Pipe commands
zopp run -- sh -c 'psql $DATABASE_URL -c "SELECT 1"'
Different Environments
# Development
zopp run -e development -- npm run dev
# Staging
zopp run -e staging -- npm run test:e2e
# Production (be careful!)
zopp run -e production -- npm run migrate
Security Notes
- Secrets are decrypted in memory and passed to the subprocess
- Secrets are not written to any file
- The subprocess inherits the secrets as environment variables
- Child processes of the command will also have access to the secrets
tip
For production deployments, consider using the Kubernetes Operator or CI/CD integration instead of zopp run.
See Also
- secret export - Export secrets to a .env file
- CI/CD Integration - Use secrets in CI pipelines