secretexec fetches a secret from AWS Secrets Manager and injects its key-value pairs as environment variables before executing a given command via execve(2). The current process is replaced by the target command — no wrapper process remains.
- Unix-like OS
- AWS credentials available via the default credential chain (environment,
~/.aws, IAM role, etc.)
secretexec -s secret-id-or-arn /path/to/command [args...]
The secret must be a JSON object with string values, e.g.:
{
"DB_PASSWORD": "hunter2",
"API_KEY": "abc123"
}Each key-value pair is injected into the environment of the executed command. Keys must consist only of ASCII letters, digits, hyphens, and underscores. Values must not contain Unicode control/format characters. Invalid entries are skipped with a warning.
If the command name contains no path separator, it is resolved via PATH lookup.
secretexec -s myapp/production/env -- ./myapp --serve-s — Secret name or ARN (required)
- Execution timeout is 10 seconds (covers secret fetch only; the spawned process is not affected).
- Binary secrets (
SecretBinary) are not supported. - The program is Unix-only (
//go:build unix).
go build -o secretexec .