Terminal access
Your secrets, wherever you work
Pull any secret from your terminal in one command. Secure by default — 2FA enforced for interactive logins, project tokens for pipelines.
Getting started
Up and running in minutes
Three steps to access your secrets from anywhere.
Install the gem
Requires Ruby 3.0 or higher. Works on macOS, Linux, and Windows.
Log in
Authenticate with your Vaultez email, password, and 2FA code. All accounts require two-factor authentication. Your session token is stored locally in ~/.vaultez/config.yml.
Fetch a secret
Fetch a single secret or pull an entire project's secrets at once.
Authentication
Two ways to authenticate
Interactive logins for humans. Project tokens for pipelines.
Interactive login
For developers working locally. Run vaultez login and enter your email, password, and 2FA code. Your session token is saved to ~/.vaultez/config.yml and reused on every command. Gives access to all companies, projects, and secrets your account can see.
Project tokens
For CI/CD pipelines and automation. Create a project token in your project's Tokens tab. Set it as VAULTEZ_TOKEN in your pipeline environment. No password or 2FA needed — the token already knows which project it belongs to, so no --project flag is required.
Commands
Full command reference
Everything the CLI can do.
Log in
Prompts for email, password, and your 2FA code. Stores a session token in ~/.vaultez/config.yml. You can also pass a backup code in place of the 2FA code if you don't have your authenticator app.
Log out
Revokes the current session token on the server and removes it from ~/.vaultez/config.yml. Use this when leaving a shared machine.
List companies
List all companies your account belongs to. Shows your role in each.
List projects
List all projects in a company you have access to.
Fetch all secrets in a project
Returns all secrets in KEY=value format — ready to pipe, source, or redirect to a .env file.
Fetch a single secret
Returns the plain value only — pipes cleanly into scripts and shell variables.
Set a default company
Skip the --company flag on every command by setting a default once.
Integrations
Connect your pipelines
Create a project token in your project's Tokens tab, then add it to your pipeline as VAULTEZ_TOKEN. Each example below fetches all secrets from a project and exposes them as environment variables.
GitHub Actions
Store your project token as a repository secret named VAULTEZ_TOKEN, then inject secrets into the workflow environment.
- name: Fetch secrets from Vaultez
env:
VAULTEZ_TOKEN: ${{ secrets.VAULTEZ_TOKEN }}
run: |
gem install vaultez-cli
vaultez fetch >> $GITHUB_ENV
Terraform
Use an external data source to pull secrets at plan/apply time. Pass the project token via a Terraform variable or environment variable.
data "external" "vaultez" {
program = ["vaultez", "fetch", "--format=json"]
}
resource "aws_db_instance" "main" {
password = data.external.vaultez.result["DB_PASSWORD"]
}
Rails credentials / initializer
Load Vaultez secrets into your Rails environment at boot. Add this to an initializer and set VAULTEZ_TOKEN in your server environment.
if ENV["VAULTEZ_TOKEN"].present?
output, status = Open3.capture2("vaultez", "fetch")
if status.success?
output.each_line do |line|
key, value = line.chomp.split("=", 2)
ENV[key] ||= value if key && value
end
end
end
Docker / generic CI
Fetch secrets at container startup or as a build step. Pass the project token as a build argument or runtime environment variable.
RUN gem install vaultez-cli
Next.js / .env.local
Populate .env.local before starting the dev server or building. Add Vaultez as a prebuild and predev script so secrets are always fresh. The .env.local file is already gitignored by default in Next.js projects.
{
"scripts": {
"predev": "vaultez fetch > .env.local",
"dev": "next dev",
"prebuild": "vaultez fetch > .env.local",
"build": "next build"
}
}
Ready to try it?
Create a free Vaultez account, then install the CLI.