Providers
Providers are pluggable storage backends that handle the storage and retrieval of secrets. They allow the same secretspec.toml to work across development machines, CI/CD pipelines, and production environments.
Available Providers
Section titled “Available Providers”| Provider | Description | Read | Write | Encrypted |
|---|---|---|---|---|
| keyring | System credential storage (macOS Keychain, Windows Credential Manager, Linux Secret Service) | ✓ | ✓ | ✓ |
| dotenv | Traditional .env file in your project directory | ✓ | ✓ | ✗ |
| env | Read-only access to existing environment variables | ✓ | ✗ | ✗ |
| onepassword | Integration with OnePassword password manager | ✓ | ✓ | ✓ |
| lastpass | Integration with LastPass password manager | ✓ | ✓ | ✓ |
Provider Selection
Section titled “Provider Selection”SecretSpec determines which provider to use in this order:
- CLI flag:
secretspec --providerflag - Environment:
SECRETSPEC_PROVIDER(highest priority) - Global default: Default provider in user config set via
secretspec config init
Configuration
Section titled “Configuration”Set your default provider:
$ secretspec config initOverride for specific commands:
# Use dotenv for this command$ secretspec run --provider dotenv -- npm start
# Set for shell session$ export SECRETSPEC_PROVIDER=env$ secretspec checkConfigure providers with URIs:
[defaults]provider = "keyring"profile = "development" # optional default profileYou can use provider URIs for more specific configuration:
# Use a specific OnePassword vault$ secretspec run --provider "onepassword://Personal/Development" -- npm start
# Use a specific dotenv file$ secretspec run --provider "dotenv:/home/user/work/.env" -- npm testNext Steps
Section titled “Next Steps”- Learn about specific providers in the Providers section
- Understand how providers work with Profiles
- Explore Configuration Inheritance for complex setups