mirror of
https://github.com/Infisical/infisical.git
synced 2025-03-31 22:09:57 +00:00
.github
.husky
backend
cli
cloudformation
company
docker-swarm
docs
api-reference
changelog
cli
commands
commands.mdx
export.mdx
init.mdx
login.mdx
reset.mdx
run.mdx
scan-git-changes.mdx
scan-install.mdx
scan.mdx
secrets.mdx
service-token.mdx
token.mdx
user.mdx
vault.mdx
faq.mdx
overview.mdx
project-config.mdx
scanning-overview.mdx
usage.mdx
contributing
documentation
images
integrations
internals
logo
sdks
self-hosting
CONTRIBUTING.MD
favicon.png
mint.json
style.css
syncingManually.mdx
frontend
helm-charts
img
k8-operator
migration
nginx
sink
.dockerignore
.env.example
.env.migration.example
.env.test.example
.eslintignore
.gitignore
.goreleaser.yaml
.infisicalignore
CODE_OF_CONDUCT.md
CONTRIBUTING.md
Dockerfile.standalone-infisical
LICENSE
Makefile
README.md
SECURITY.md
cypress.config.js
docker-compose.dev-read-replica.yml
docker-compose.dev.yml
docker-compose.prod.yml
package-lock.json
package.json
render.yaml
standalone-entrypoint.sh
198 lines
6.1 KiB
Plaintext
198 lines
6.1 KiB
Plaintext
---
|
|
title: "infisical run"
|
|
description: "The command that injects your secrets into local environment"
|
|
---
|
|
|
|
<Tabs>
|
|
<Tab title="Single command">
|
|
```bash
|
|
infisical run [options] -- [your application start command]
|
|
|
|
# Example
|
|
infisical run [options] -- npm run dev
|
|
```
|
|
|
|
</Tab>
|
|
|
|
<Tab title="Chained commands">
|
|
```bash
|
|
infisical run [options] --command [string command]
|
|
|
|
# Example
|
|
infisical run [options] --command "npm run bootstrap && npm run dev start; other-bash-command"
|
|
```
|
|
|
|
</Tab>
|
|
</Tabs>
|
|
|
|
## Description
|
|
|
|
Inject secrets from Infisical into your application process.
|
|
|
|
## Subcommands & flags
|
|
|
|
<Accordion title="infisical run" defaultOpen="true">
|
|
Use this command to inject secrets into your applications process
|
|
|
|
```bash
|
|
$ infisical run -- <your application command>
|
|
|
|
# Example
|
|
$ infisical run -- npm run dev
|
|
```
|
|
|
|
### Environment variables
|
|
|
|
<Accordion title="INFISICAL_TOKEN">
|
|
Used to fetch secrets via a [machine identity](/documentation/platform/identities/machine-identities) apposed to logged in credentials. Simply, export this variable in the terminal before running this command.
|
|
|
|
```bash
|
|
# Example
|
|
export INFISICAL_TOKEN=$(infisical login --method=universal-auth --client-id=<identity-client-id> --client-secret=<identity-client-secret> --silent --plain) # --plain flag will output only the token, so it can be fed to an environment variable. --silent will disable any update messages.
|
|
```
|
|
|
|
<Info>
|
|
Alternatively, you may use service tokens.
|
|
|
|
Please note, however, that service tokens are being deprecated in favor of [machine identities](/documentation/platform/identities/machine-identities). They will be removed in the future in accordance with the deprecation notice and timeline stated [here](https://infisical.com/blog/deprecating-api-keys).
|
|
|
|
```bash
|
|
# Example
|
|
export INFISICAL_TOKEN=<service-token>
|
|
```
|
|
</Info>
|
|
</Accordion>
|
|
|
|
<Accordion title="INFISICAL_DISABLE_UPDATE_CHECK">
|
|
Used to disable the check for new CLI versions. This can improve the time it takes to run this command. Recommended for production environments.
|
|
|
|
To use, simply export this variable in the terminal before running this command.
|
|
|
|
```bash
|
|
# Example
|
|
export INFISICAL_DISABLE_UPDATE_CHECK=true
|
|
```
|
|
</Accordion>
|
|
|
|
### Flags
|
|
|
|
<Accordion title="--watch">
|
|
By passing the `watch` flag, you are telling the CLI to watch for changes that happen in your Infisical project.
|
|
If secret changes happen, the command you provided will automatically be restarted with the new environment variables attached.
|
|
|
|
```bash
|
|
# Example
|
|
infisical run --watch -- printenv
|
|
```
|
|
</Accordion>
|
|
|
|
<Accordion title="--project-config-dir">
|
|
Explicitly set the directory where the .infisical.json resides. This is useful for some monorepo setups.
|
|
|
|
```bash
|
|
# Example
|
|
infisical run --project-config-dir=/some-dir -- printenv
|
|
```
|
|
</Accordion>
|
|
|
|
<Accordion title="--command">
|
|
Pass secrets into multiple commands at once
|
|
|
|
```bash
|
|
# Example
|
|
infisical run --command="npm run build && npm run dev; more-commands..."
|
|
```
|
|
|
|
</Accordion>
|
|
|
|
<Accordion title="--projectId">
|
|
The project ID to fetch secrets from. This is required when using a machine identity to authenticate.
|
|
|
|
```bash
|
|
# Example
|
|
infisical run --projectId=<project-id> -- npm run dev
|
|
```
|
|
|
|
</Accordion>
|
|
|
|
<Accordion title="--token">
|
|
If you are using a [machine identity](/documentation/platform/identities/machine-identities) to authenticate, you can pass the token as a flag
|
|
|
|
```bash
|
|
# Example
|
|
infisical run --token="<universal-auth-access-token>" --projectId=<project-id> -- npm run start
|
|
```
|
|
|
|
You may also expose the token to the CLI by setting the environment variable `INFISICAL_TOKEN` before executing the run command. This will have the same effect as setting the token with `--token` flag
|
|
|
|
</Accordion>
|
|
|
|
<Accordion title="--expand">
|
|
Turn on or off the shell parameter expansion in your secrets. If you have used shell parameters in your secret(s), activating this feature will populate them before injecting them into your application process.
|
|
|
|
Default value: `true`
|
|
|
|
</Accordion>
|
|
|
|
<Accordion title="--include-imports">
|
|
By default imported secrets are available, you can disable it by setting this option to false.
|
|
|
|
Default value: `true`
|
|
</Accordion>
|
|
|
|
{" "}
|
|
|
|
<Accordion title="--env">
|
|
This is used to specify the environment from which secrets should be
|
|
retrieved. The accepted values are the environment slugs defined for your
|
|
project, such as `dev`, `staging`, `test`, and `prod`. Default value: `dev`
|
|
</Accordion>
|
|
|
|
<Accordion title="--secret-overriding">
|
|
Prioritizes personal secrets with the same name over shared secrets
|
|
|
|
Default value: `true`
|
|
|
|
</Accordion>
|
|
|
|
<Accordion title="--tags">
|
|
When working with tags, you can use this flag to filter and retrieve only secrets that are associated with a specific tag(s).
|
|
|
|
```bash
|
|
# Example
|
|
infisical run --tags=tag1,tag2,tag3 -- npm run dev
|
|
```
|
|
|
|
Note: you must reference the tag by its slug name not its fully qualified name. Go to project settings to view all tag slugs.
|
|
|
|
By default, all secrets are fetched
|
|
|
|
</Accordion>
|
|
|
|
<Accordion title="--path">
|
|
The `--path` flag indicates which project folder secrets will be injected from.
|
|
|
|
```bash
|
|
# Example
|
|
infisical run --path="/nextjs" -- npm run dev
|
|
```
|
|
|
|
</Accordion>
|
|
|
|
</Accordion>
|
|
|
|
|
|
## Automatically reload command when secrets change
|
|
|
|
To automatically reload your command when secrets change, use the `--watch` flag.
|
|
|
|
```bash
|
|
infisical run --watch -- npm run dev
|
|
```
|
|
|
|
This will watch for changes in your secrets and automatically restart your command with the new secrets.
|
|
When your command restarts, it will have the new environment variables injeceted into it.
|
|
|
|
<Note>
|
|
Please note that this feature is intended for development purposes. It is not recommended to use this in production environments. Generally it's not recommended to automatically reload your application in production when remote changes are made.
|
|
</Note> |