Lade (/leɪd/) is a tool allowing you to automatically load secrets from your preferred vault into environment variables. It limits the exposure of secrets to the time the command requiring the secrets lives.
Lade is part of the Metatype ecosystem. Consider checking out how this component integrates with the whole ecosystem and browse the documentation to see more examples.
You can download the binary executable from
releases page on GitHub, make it
executable and add it to your $PATH or use
eget to automate those steps.
``` eget zifeo/lade --to $HOME/.local/bin
cargo install lade --locked cargo install --git https://github.com/zifeo/lade --locked
lade upgrade
lade install lade uninstall ```
Compatible shells: Fish, Bash, Zsh
Compatible vaults: Infisical, 1Password CLI, Doppler, Vault
Lade will run before and after any command you run in your shell. On each run,
it will recursively look for lade.yml files in the current directory and its
parents. It will then aggregate any secrets matching the command you are running
using a regex and load them into environment variables for the time of the run.
``` eval "$(lade on)"
cd examples/terraform terraform apply
eval "$(lade off)" ```
You can also add eval "$(lade on)" to your shell configuration file (e.g.
~/.bashrc, ~/.zshrc or ~/.config/fish/config.fish) to automatically enable
Lade on each shell session (lade install will configure this for you).
Note: most of the vault loaders use their native CLI to operate. This means you must have them installed locally and your login/credentials must be valid. Lade may evolve by integrating directly with the corresponding API, but this is left as future work.
See lade.yml or the examples folders for other uses cases.
yaml
command regex:
EXPORTED_ENV_VAR: infisical://DOMAIN/PROJECT_NAME/ENV_NAME/SECRET_NAME
Frequent domain(s): app.infisical.com.
Note: the /api is automatically added to the DOMAIN. This source currently
only support a single domain (you cannot be logged into multiple ones).
yaml
command regex:
EXPORTED_ENV_VAR: op://DOMAIN/VAULT_NAME/SECRET_NAME/FIELD_NAME
Frequent domain(s): my.1password.eu, my.1password.com or my.1password.ca.
yaml
command regex:
EXPORTED_ENV_VAR: doppler://DOMAIN/PROJECT_NAME/ENV_NAME/SECRET_NAME
Frequent domain(s): api.doppler.com.
yaml
command regex:
EXPORTED_ENV_VAR: vault://DOMAIN/MOUNT/KEY/FIELD
Supports INI, JSON, YAML and TOML files.
yaml
command regex:
EXPORTED_ENV_VAR: file://PATH?query=.fields[0].field
PATH can be relative to the lade directory, start with ~/$HOME or absolute
(not recommended when sharing the project with others as they likely have
different paths).
yaml
command regex:
EXPORTED_ENV_VAR: "value"
Escaping a value with ! enforces the use of the raw loader and double !!
escapes itself.
eval "$(cargo run -- on)"
echo a $A1 $A2 $B1 $B2 $B3 $C1 $C2 $C3
cargo run -- -vvv set echo a
eval "$(cargo run -- off)"