{"id":13509168,"url":"https://github.com/helmfile/vals","last_synced_at":"2026-04-08T01:02:39.661Z","repository":{"id":39749056,"uuid":"201556139","full_name":"helmfile/vals","owner":"helmfile","description":"Helm-like configuration values loader with support for various sources","archived":false,"fork":false,"pushed_at":"2024-10-30T03:01:26.000Z","size":1287,"stargazers_count":544,"open_issues_count":30,"forks_count":72,"subscribers_count":13,"default_branch":"main","last_synced_at":"2024-10-30T08:27:02.599Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/helmfile.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-08-10T00:02:25.000Z","updated_at":"2024-10-30T03:01:23.000Z","dependencies_parsed_at":"2024-01-06T01:27:35.283Z","dependency_job_id":"a77a0e67-1df3-48cb-89c0-d51cf2c9d8ff","html_url":"https://github.com/helmfile/vals","commit_stats":{"total_commits":354,"total_committers":60,"mean_commits":5.9,"dds":0.5141242937853108,"last_synced_commit":"f6b1a16cc1ba4381e7eed16b9c2e18b9eb54f937"},"previous_names":["variantdev/vals"],"tags_count":63,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/helmfile%2Fvals","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/helmfile%2Fvals/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/helmfile%2Fvals/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/helmfile%2Fvals/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/helmfile","download_url":"https://codeload.github.com/helmfile/vals/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246314114,"owners_count":20757457,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T02:01:03.945Z","updated_at":"2026-04-08T01:02:39.637Z","avatar_url":"https://github.com/helmfile.png","language":"Go","funding_links":[],"categories":["Go","others","Secret Management"],"sub_categories":[],"readme":"# vals\n\n`vals` is a tool for managing configuration values and secrets.\n\nIt supports various backends including:\n\n- Vault\n- AWS SSM Parameter Store\n- AWS Secrets Manager\n- AWS S3\n- GCP Secrets Manager\n- GCP KMS\n- [Google Sheets](#google-sheets)\n- [SOPS](https://github.com/getsops/sops)-encrypted files\n- Terraform State\n- 1Password\n- 1Password Connect\n- [Doppler](https://doppler.com/)\n- CredHub(Coming soon)\n- Pulumi State\n- Kubernetes\n- Conjur\n- HCP Vault Secrets\n- Bitwarden\n- [Yandex Cloud Lockbox](https://yandex.cloud/en/docs/lockbox/)\n- Servercore Secrets Manager\n- HTTP JSON\n- Keychain\n- Scaleway\n- [Delinea SecretServer](https://delinea.com/products/secret-server)\n- Infisical\n\n- Use `vals eval -f refs.yaml` to replace all the `ref`s in the file to actual values and secrets.\n- Use `vals exec -f env.yaml -- \u003cCOMMAND\u003e` to populate envvars and execute the command.\n- Use `vals env -f env.yaml` to render envvars that are consumable by `eval` or a tool like `direnv`\n\nToC:\n\n- [Installation](#installation)\n- [Usage](#usage)\n  - [CLI](#cli)\n  - [Helm](#helm)\n  - [Go](#go)\n- [Expression Syntax](#expression-syntax)\n- [Supported Backends](#supported-backends)\n\n## Installation\n\n[![Packaging status](https://repology.org/badge/vertical-allrepos/vals.svg)](https://repology.org/project/vals/versions)\n\n### Download binary (Linux, macOS, Windows)\n\n[Download](https://github.com/helmfile/vals/releases) the latest executable for your platform and put it into a directory included in `PATH`.\n\n### homebrew (macOS, Linux)\n\n```sh\nbrew install vals\n```\n\n### Arch Linux\n\n```sh\nsudo pacman -S vals\n```\n\n### Alpine Linux Edge\n\n```sh\napk add vals\n```\n\n### MacPorts (macOS)\n\n```sh\nsudo port install vals\n```\n\n### Nix / NixOS\n\n```sh\nnix profile install nixpkgs#vals\n```\n\n### Scoop (Windows)\n\n```sh\nscoop install vals\n```\n\n## Usage\n\n- [CLI](#cli)\n- [Helm](#helm)\n- [Go](#go)\n\n# CLI\n\n```\nvals is a Helm-like configuration \"Values\" loader with support for various sources and merge strategies\n\nUsage:\n  vals [command]\n\nAvailable Commands:\n  eval          Evaluate a JSON/YAML document and replace any template expressions in it and prints the result\n  exec          Populates the environment variables and executes the command\n  env           Renders environment variables to be consumed by eval or a tool like direnv\n  get           Evaluate a string value passed as the first argument and replace any expressiosn in it and prints the result\n  ksdecode      Decode YAML document(s) by converting Secret resources' \"data\" to \"stringData\" for use with \"vals eval\"\n  version       Print vals version\n\nUse \"vals [command] --help\" for more information about a comman\n```\n\n`vals` has a collection of providers that each an be referred with a URI scheme looks `ref+\u003cTYPE\u003e`.\n\nFor this example, use the [Vault](https://www.terraform.io/docs/providers/vault/index.html) provider.\n\nLet's start by writing some secret value to `Vault`:\n\n```console\n$ vault kv put secret/foo mykey=myvalue\n```\n\nNow input the template of your YAML and refer to `vals`' Vault provider by using `ref+vault` in the URI scheme:\n\n```console\n$ VAULT_TOKEN=yourtoken VAULT_ADDR=http://127.0.0.1:8200/ \\\n  echo \"foo: ref+vault://secret/data/foo?proto=http#/mykey\" | vals eval -f -\n```\n\nVoila! `vals`, replacing every reference to your secret value in Vault, produces the output looks like:\n\n```yaml\nfoo: myvalue\n```\n\nWhich is equivalent to that of the following shell script:\n\n```bash\nVAULT_TOKEN=yourtoken  VAULT_ADDR=http://127.0.0.1:8200/ cat \u003c\u003cEOF\nfoo: $(vault kv get -format json secret/foo | jq -r .data.data.mykey)\nEOF\n```\n\nSave the YAML content to `x.vals.yaml` and running `vals eval -f x.vals.yaml` does produce output equivalent to the previous one:\n\n```yaml\nfoo: myvalue\n```\n\n### Helm\n\nUse value references as Helm Chart values, so that you can feed the `helm template` output to `vals -f -` for transforming the refs to secrets.\n\n```console\n$ helm template mysql-1.3.2.tgz --set mysqlPassword='ref+vault://secret/data/foo#/mykey' | vals ksdecode -o yaml -f - | tee manifests.yaml\napiVersion: v1\nkind: Secret\nmetadata:\n  labels:\n    app: release-name-mysql\n    chart: mysql-1.3.2\n    heritage: Tiller\n    release: release-name\n  name: release-name-mysql\n  namespace: default\nstringData:\n  mysql-password: ref+vault://secret/data/foo#/mykey\n  mysql-root-password: vZQmqdGw3z\ntype: Opaque\n```\n\nThis manifest is safe to be committed into your version-control system(GitOps!) as it doesn't contain actual secrets.\n\nWhen you finally deploy the manifests, run `vals eval` to replace all the refs to actual secrets:\n\n```console\n$ cat manifests.yaml | ~/p/values/bin/vals eval -f - | tee all.yaml\napiVersion: v1\nkind: Secret\nmetadata:\n    labels:\n        app: release-name-mysql\n        chart: mysql-1.3.2\n        heritage: Tiller\n        release: release-name\n    name: release-name-mysql\n    namespace: default\nstringData:\n    mysql-password: myvalue\n    mysql-root-password: 0A8V1SER9t\ntype: Opaque\n```\n\nFinally run `kubectl apply` to apply manifests:\n\n```console\n$ kubectl apply -f all.yaml\n```\n\nThis gives you a solid foundation for building a secure CD system as you need to allow access to a secrets store like Vault only from servers or containers that pulls safe manifests and runs deployments.\n\nIn other words, you can safely omit access from the CI to the secrets store.\n\n### Go\n\n```go\nimport \"github.com/helmfile/vals\"\n\nsecretsToCache := 256 // how many secrets to keep in LRU cache\nruntime, err := vals.New(secretsToCache)\nif err != nil {\n  return nil, err\n}\n\nvalsRendered, err := runtime.Eval(map[string]interface{}{\n    \"inline\": map[string]interface{}{\n        \"foo\": \"ref+vault://127.0.0.1:8200/mykv/foo?proto=http#/mykey\",\n        \"bar\": map[string]interface{}{\n            \"baz\": \"ref+vault://127.0.0.1:8200/mykv/foo?proto=http#/mykey\",\n        },\n    },\n})\n```\n\nNow, `vals` contains a `map[string]interface{}` representation of the below:\n\n```console\ncat \u003c\u003cEOF\nfoo: $(vault read mykv/foo -o json | jq -r .mykey)\n  bar:\n    baz: $(vault read mykv/foo -o json | jq -r .mykey)\nEOF\n```\n\n## Expression Syntax\n\n`vals` finds and replaces every occurrence of `ref+BACKEND://PATH[?PARAMS][#FRAGMENT][+]` URI-like expression within the string at the value position with the retrieved secret value.\n\n`BACKEND` is the identifier of one of the [supported backends](#supported-backends).\n\n`PATH` is the backend-specific path for the secret to be retried.\n\n`PARAMS` is key-value pairs where the key and the value are combined using the intermediate \"=\" character while key-value pairs are combined using \"\u0026\" characters. It's supposed to be the \"query\" component of the URI as defined in [RFC3986](https://www.rfc-editor.org/rfc/rfc3986).\n\n`FRAGMENT` is a path-like expression that is used to extract a single value within the secret. When a fragment is specified, `vals` parse the secret value denoted by the `PATH` into a YAML or JSON object, and traverses the object following the fragment, and uses the value at the path as the final secret value. It's supposed to be the \"fragment\" componet of the URI as defined in [RFC3986](https://www.rfc-editor.org/rfc/rfc3986).\n\nFinally, the optional trailing `+` is the explicit \"end\" of the expression. You usually don't need it, as if omitted, it treats anything after `ref+` and before the new-line or the end-of-line as an expression to be evaluated. An explicit `+` is handy when you want to do a simple string interpolation. That is, `foo ref+SECRET1+ ref+SECRET2+ bar` evaluates to `foo SECRET1_VALUE SECRET2_VALUE bar`.\n\nAlthough we mention the RFC for the sake of explanation, `PARAMS` and `FRAGMENT` might not be fully RFC-compliant as, under the hood, we use a simple regexp that seemed to work for most of use-cases.\n\nThe regexp is defined as [DefaultRefRegexp](#https://github.com/helmfile/vals/blob/86bccbee4d5f430b7d24b2e3af781336767c0d35/pkg/expansion/expand_match.go#L15) in our code base.\n\nPlease see the [relevant unit test cases](https://github.com/helmfile/vals/blob/main/pkg/expansion/expand_match_test.go) for exactly which patterns are supposed to work with `vals`.\n\n## Supported Backends\n\n- [vals](#vals)\n  - [Installation](#installation)\n    - [Download binary (Linux, macOS, Windows)](#download-binary-linux-macos-windows)\n    - [homebrew (macOS, Linux)](#homebrew-macos-linux)\n    - [Arch Linux](#arch-linux)\n    - [Alpine Linux Edge](#alpine-linux-edge)\n    - [MacPorts (macOS)](#macports-macos)\n    - [Nix / NixOS](#nix--nixos)\n    - [Scoop (Windows)](#scoop-windows)\n  - [Usage](#usage)\n- [CLI](#cli)\n    - [Helm](#helm)\n    - [Go](#go)\n  - [Expression Syntax](#expression-syntax)\n  - [Supported Backends](#supported-backends)\n    - [Vault](#vault)\n    - [Authentication](#authentication)\n    - [OpenBao](#openbao)\n    - [AWS](#aws)\n      - [AWS SDK Logging Configuration](#aws-sdk-logging-configuration)\n      - [AWS SSM Parameter Store](#aws-ssm-parameter-store)\n      - [AWS Secrets Manager](#aws-secrets-manager)\n      - [AWS S3](#aws-s3)\n      - [AWS KMS](#aws-kms)\n      - [Google GCS](#google-gcs)\n    - [GCP Secrets Manager](#gcp-secrets-manager)\n    - [GCP KMS](#gcp-kms)\n    - [Google Sheets](#google-sheets)\n    - [Terraform (tfstate)](#terraform-tfstate)\n    - [Terraform in GCS bucket (tfstategs)](#terraform-in-gcs-bucket-tfstategs)\n    - [Terraform in S3 bucket (tfstates3)](#terraform-in-s3-bucket-tfstates3)\n    - [Terraform in AzureRM Blob storage (tfstateazurerm)](#terraform-in-azurerm-blob-storage-tfstateazurerm)\n    - [Terraform in Terraform Cloud / Terraform Enterprise (tfstateremote)](#terraform-in-terraform-cloud--terraform-enterprise-tfstateremote)\n    - [SOPS](#sops)\n    - [Keychain](#keychain)\n    - [Echo](#echo)\n    - [File](#file)\n    - [Azure Key Vault](#azure-key-vault)\n      - [Authentication](#authentication-1)\n    - [EnvSubst](#envsubst)\n    - [GitLab Secrets](#gitlab-secrets)\n    - [1Password](#1password)\n    - [1Password Connect](#1password-connect)\n    - [Doppler](#doppler)\n    - [Pulumi State](#pulumi-state)\n    - [Kubernetes](#kubernetes)\n    - [Conjur](#conjur)\n    - [HCP Vault Secrets](#hcp-vault-secrets)\n    - [Bitwarden](#bitwarden)\n    - [Yandex Cloud Lockbox](#yandex-cloud-lockbox)\n      - [Authentication](#authentication-2)\n    - [HTTP JSON](#http-json)\n      - [Fetch string value](#fetch-string-value)\n      - [Fetch integer value](#fetch-integer-value)\n    - [Delinea Secret Server](#secretserver)\n  - [Advanced Usages](#advanced-usages)\n    - [Discriminating config and secrets](#discriminating-config-and-secrets)\n  - [Non-Goals](#non-goals)\n    - [Complex String-Interpolation / Template Functions](#complex-string-interpolation--template-functions)\n    - [Merge](#merge)\n\nPlease see [pkg/providers](https://github.com/helmfile/vals/tree/master/pkg/providers) for the implementations of all the providers. The package names corresponds to the URI schemes.\n\n### Vault\n\n- `ref+vault://PATH/TO/KVBACKEND[?address=VAULT_ADDR:PORT\u0026token_file=PATH/TO/FILE\u0026token_env=VAULT_TOKEN\u0026namespace=VAULT_NAMESPACE]#/fieldkey`\n- `ref+vault://PATH/TO/KVBACKEND[?address=VAULT_ADDR:PORT\u0026auth_method=approle\u0026role_id=ce5e571a-f7d4-4c73-93dd-fd6922119839\u0026secret_id=5c9194b9-585e-4539-a865-f45604bd6f56]#/fieldkey`\n- `ref+vault://PATH/TO/KVBACKEND[?address=VAULT_ADDR:PORT\u0026auth_method=kubernetes\u0026role_id=K8S-ROLE`\n- `ref+vault://PATH/TO/KVBACKEND[?address=VAULT_ADDR:PORT\u0026auth_method=userpass\u0026username=some-user\u0026password_file=PATH/TO/FILE\u0026password_env=VAULT_PASSWORD]#/fieldkey`\n\n* `address` defaults to the value of the `VAULT_ADDR` envvar.\n* `namespace` defaults to the value of the `VAULT_NAMESPACE` envvar.\n* `auth_method` default to `token` and can also be set to the value of the `VAULT_AUTH_METHOD` envar.\n* `role_id` defaults to the value of the `VAULT_ROLE_ID` envvar.\n* `secret_id` defaults to the value of the `VAULT_SECRET_ID` envvar.\n* `version` is the specific version of the secret to be obtained. Used when you want to get a previous content of the secret.\n\n### Authentication\n\nThe `auth_method` or `VAULT_AUTH_METHOD` envar configures how `vals` authenticates to HashiCorp Vault. Currently only these options are supported:\n\n* [approle](https://www.vaultproject.io/docs/auth/approle#via-the-api): it requires you pass on a `role_id` together with a `secret_id`.\n* [token](https://www.vaultproject.io/docs/auth/token): you just need creating and passing on a `VAULT_TOKEN`. If `VAULT_TOKEN` isn't set, token can be retrieved from `VAULT_TOKEN_FILE` env or `~/.vault-token` file.\n* [kubernetes](https://www.vaultproject.io/docs/auth/kubernetes): if you're running inside a Kubernetes cluster, you can use this option. It requires you [configure](https://www.vaultproject.io/docs/auth/kubernetes#configuration) a policy, a Kubernetes role, a service account and a JWT token. The login path can also be set using the environment variable `VAULT_KUBERNETES_MOUNT_POINT` (default is `/kubernetes`). You must also set `role_id` or `VAULT_ROLE_ID` envar to the Kubernetes role. You can also specify a custom token path using the `VAULT_KUBERNETES_JWT_TOKEN_PATH` environment variable.\n* [userpass](https://developer.hashicorp.com/vault/docs/auth/userpass): you need to provide a username, e.g. via `VAULT_USERNAME`, and a password retrieved from the file `VAULT_PASSWORD_FILE` or from the env variable referred to in `VAULT_PASSWORD_ENV`. `VAULT_PASSWORD_ENV` takes precedence over `VAULT_PASSWORD_FILE`.\n\nExamples:\n\n- `ref+vault://mykv/foo?address=https://vault1.example.com:8200#/bar` reads the value for the field `bar` in the kv `foo` on Vault listening on `https://vault1.example.com` with the Vault token read from **the envvar `VAULT_TOKEN`, or the file `~/.vault_token` when the envvar is not set**\n- `ref+vault://mykv/foo?token_env=VAULT_TOKEN_VAULT1\u0026namespace=ns1\u0026address=https://vault1.example.com:8200#/bar` reads the value for the field `bar` from namespace `ns1` in the kv `foo` on Vault listening on `https://vault1.example.com` with the Vault token read from **the envvar `VAULT_TOKEN_VAULT1`**\n- `ref+vault://mykv/foo?token_file=~/.vault_token_vault1\u0026address=https://vault1.example.com:8200#/bar` reads the value for the field `bar` in the kv `foo` on Vault listening on `https://vault1.example.com` with the Vault token read from **the file `~/.vault_token_vault1`**\n- `ref+vault://mykv/foo?role_id=my-kube-role#/bar` using the Kubernetes role to log in to Vault\n- `ref+vault://mykv/foo?auth_method=userpass\u0026username=some-user\u0026password_env=VAULT_PASSWORD#/bar` using `userpass` authentication with password read from env `VAULT_PASSWORD`\n- `ref+vault://mykv/foo?auth_method=userpass\u0026username=some-user\u0026password_file=PATH/TO/FILE#/bar` using `userpass` authentication with password read from file `VAULT_PASSWORD_FILE`\n\n### OpenBao\n\n[OpenBao](https://openbao.org/) is an open source, community-driven fork of Vault managed by the Linux Foundation. It provides the same secrets management capabilities as Vault and is API-compatible.\n\n- `ref+openbao://PATH/TO/KVBACKEND[?address=BAO_ADDR:PORT\u0026token_file=PATH/TO/FILE\u0026token_env=BAO_TOKEN\u0026namespace=BAO_NAMESPACE]#/fieldkey`\n- `ref+openbao://PATH/TO/KVBACKEND[?address=BAO_ADDR:PORT\u0026auth_method=approle\u0026role_id=ce5e571a-f7d4-4c73-93dd-fd6922119839\u0026secret_id=5c9194b9-585e-4539-a865-f45604bd6f56]#/fieldkey`\n- `ref+openbao://PATH/TO/KVBACKEND[?address=BAO_ADDR:PORT\u0026auth_method=kubernetes\u0026role_id=K8S-ROLE]#/fieldkey`\n- `ref+openbao://PATH/TO/KVBACKEND[?address=BAO_ADDR:PORT\u0026auth_method=userpass\u0026username=some-user\u0026password_file=PATH/TO/FILE\u0026password_env=BAO_PASSWORD]#/fieldkey`\n\n* `address` defaults to the value of the `BAO_ADDR` envvar.\n* `namespace` defaults to the value of the `BAO_NAMESPACE` envvar.\n* `auth_method` defaults to `token` and can also be set to the value of the `BAO_AUTH_METHOD` envvar.\n* `role_id` defaults to the value of the `BAO_ROLE_ID` envvar.\n* `secret_id` defaults to the value of the `BAO_SECRET_ID` envvar.\n* `version` is the specific version of the secret to be obtained. Used when you want to get a previous content of the secret.\n\nThe `auth_method` or `BAO_AUTH_METHOD` envvar configures how `vals` authenticates to OpenBao. The following methods are supported:\n\n* [approle](https://openbao.org/docs/auth/approle/): it requires you pass on a `role_id` together with a `secret_id`.\n* [token](https://openbao.org/docs/auth/token/): you just need creating and passing on a `BAO_TOKEN`. If `BAO_TOKEN` isn't set, token can be retrieved from `BAO_TOKEN_FILE` env or `~/.bao-token` file.\n* [kubernetes](https://openbao.org/docs/auth/kubernetes/): if you're running inside a Kubernetes cluster, you can use this option. It requires you configure a policy, a Kubernetes role, a service account and a JWT token. The login path can also be set using the environment variable `BAO_KUBERNETES_MOUNT_POINT` (default is `/kubernetes`). You must also set `role_id` or `BAO_ROLE_ID` envvar to the Kubernetes role.\n* [userpass](https://openbao.org/docs/auth/userpass/): you need to provide a username, e.g. via `BAO_USERNAME`, and a password retrieved from the file `BAO_PASSWORD_FILE` or from the env variable referred to in `BAO_PASSWORD_ENV`. `BAO_PASSWORD_ENV` takes precedence over `BAO_PASSWORD_FILE`.\n\nExamples:\n\n- `ref+openbao://mykv/foo?address=https://bao.example.com:8200#/bar` reads the value for the field `bar` in the kv `foo` on OpenBao listening on `https://bao.example.com` with the token read from **the envvar `BAO_TOKEN`, or the file `~/.bao-token` when the envvar is not set**\n- `ref+openbao://mykv/foo?token_env=BAO_TOKEN_BAO1\u0026namespace=ns1\u0026address=https://bao.example.com:8200#/bar` reads the value for the field `bar` from namespace `ns1` in the kv `foo` on OpenBao listening on `https://bao.example.com` with the token read from **the envvar `BAO_TOKEN_BAO1`**\n- `ref+openbao://mykv/foo?token_file=~/.bao_token_bao1\u0026address=https://bao.example.com:8200#/bar` reads the value for the field `bar` in the kv `foo` on OpenBao listening on `https://bao.example.com` with the token read from **the file `~/.bao_token_bao1`**\n- `ref+openbao://mykv/foo?role_id=my-kube-role#/bar` using the Kubernetes role to log in to OpenBao\n- `ref+openbao://mykv/foo?auth_method=userpass\u0026username=some-user\u0026password_env=BAO_PASSWORD#/bar` using `userpass` authentication with password read from env `BAO_PASSWORD`\n- `ref+openbao://mykv/foo?auth_method=userpass\u0026username=some-user\u0026password_file=PATH/TO/FILE#/bar` using `userpass` authentication with password read from file `BAO_PASSWORD_FILE`\n\n### AWS\n\nThere are four providers for AWS:\n\n- SSM Parameter Store\n- Secrets Manager\n- S3\n- KMS\n\nBoth provider have support for specifying AWS region and profile via envvars or options:\n\n- AWS profile can be specified via an option `profile=AWS_PROFILE_NAME` or envvar `AWS_PROFILE`\n- AWS region can be specified via an option `region=AWS_REGION_NAME` or envvar `AWS_DEFAULT_REGION`\n\n#### AWS SDK Logging Configuration\n\nYou can control AWS SDK request logging verbosity using the `AWS_SDK_GO_LOG_LEVEL` environment variable. This applies to all AWS providers (SSM, Secrets Manager, S3, KMS).\n\n**Supported values** (case-insensitive, comma-separated):\n- `off` - Disable all AWS SDK logging\n- `retries` - Log retry attempts\n- `request` - Log requests (without body)\n- `request_with_body` - Log requests with body content\n- `response` - Log responses (without body)  \n- `response_with_body` - Log responses with body content\n- `signing` - Log request signing information\n\n**Examples:**\n```bash\n# Disable all AWS SDK logging\nexport AWS_SDK_GO_LOG_LEVEL=off\n\n# Log only retries\nexport AWS_SDK_GO_LOG_LEVEL=retries\n\n# Log requests and responses (without bodies)\nexport AWS_SDK_GO_LOG_LEVEL=request,response\n\n# Log everything\nexport AWS_SDK_GO_LOG_LEVEL=retries,request,response,signing\n\n# Default behavior (when not set): retries,request\n```\n\nWhen `AWS_SDK_GO_LOG_LEVEL` is not set, vals defaults to logging retries and requests for backward compatibility.\n\n#### AWS SSM Parameter Store\n\n- `ref+awsssm://PATH/TO/PARAM[?region=REGION\u0026role_arn=ASSUMED_ROLE_ARN]`\n- `ref+awsssm://PREFIX/TO/PARAMS[?region=REGION\u0026role_arn=ASSUMED_ROLE_ARN\u0026mode=MODE\u0026version=VERSION]#/PATH/TO/PARAM`\n\nThe first form result in a `GetParameter` call and result in the reference to be replaced with the value of the parameter.\n\nThe second form is handy but fairly complex.\n\n- If `mode` is not set, `vals` uses `GetParametersByPath(/PREFIX/TO/PARAMS)` caches the result per prefix rather than each single path to reduce number of API calls\n- If `mode` is `singleparam`, `vals` uses `GetParameter` to obtain the value parameter for key `/PREFIX/TO/PARAMS`, parse the value as a YAML hash, extract the value at the yaml path `PATH.TO.PARAM`.\n  - When `version` is set, `vals` uses `GetParameterHistoryPages` instead of `GetParameter`.\n\nFor the second form, you can optionally specify `recursive=true` to enable the recursive option of the GetParametersByPath API.\n\nLet's say you had a number of parameters like:\n\n```\nNAME        VALUE\n/foo/bar    {\"BAR\":\"VALUE\"}\n/foo/bar/a  A\n/foo/bar/b  B\n```\n\n- `ref+awsssm://foo/bar` and `ref+awsssm://foo#/bar` results in `{\"BAR\":\"VALUE\"}`\n- `ref+awsssm://foo/bar/a`, `ref+awsssm://foo/bar?#/a`, and `ref+awsssm://foo?recursive=true#/bar/a` results in `A`\n- `ref+awsssm://foo/bar?mode=singleparam#/BAR` results in `VALUE`.\n\nOn the other hand,\n\n- `ref+awsssm://foo/bar#/BAR` fails because `/foo/bar` evaluates to `{\"a\":\"A\",\"b\":\"B\"}`.\n- `ref+awsssm://foo?recursive=true#/bar` fails because `/foo?recursive=true` internal evaluates to `{\"foo\":{\"a\":\"A\",\"b\":\"B\"}}`\n\n#### AWS Secrets Manager\n\n- `ref+awssecrets://PATH/TO/SECRET[?region=REGION\u0026role_arn=ASSUMED_ROLE_ARN\u0026version_stage=STAGE\u0026version_id=ID]`\n- `ref+awssecrets://PATH/TO/SECRET[?region=REGION\u0026role_arn=ASSUMED_ROLE_ARN\u0026version_stage=STAGE\u0026version_id=ID]#/yaml_or_json_key/in/secret`\n- `ref+awssecrets://ACCOUNT:ARN:secret:/PATH/TO/PARAM[?region=REGION\u0026role_arn=ASSUMED_ROLE_ARN]`\n\nThe third form allows you to reference a secret in another AWS account (if your cross-account secret permissions are configured).\n\nExamples:\n\n- `ref+awssecrets://myteam/mykey`\n- `ref+awssecrets://myteam/mydoc#/foo/bar`\n- `ref+awssecrets://myteam/mykey?region=us-west-2`\n- `ref+awssecrets://arn:aws:secretsmanager:\u003cREGION\u003e:\u003cACCOUNT_ID\u003e:secret:/myteam/mydoc/?region=ap-southeast-2#/secret/key`\n\n#### AWS S3\n\n- `ref+s3://BUCKET/KEY/OF/OBJECT[?region=REGION\u0026profile=AWS_PROFILE\u0026role_arn=ASSUMED_ROLE_ARN\u0026version_id=ID]`\n- `ref+s3://BUCKET/KEY/OF/OBJECT[?region=REGION\u0026profile=AWS_PROFILE\u0026role_arn=ASSUMED_ROLE_ARN\u0026version_id=ID]#/yaml_or_json_key/in/secret`\n\nExamples:\n\n- `ref+s3://mybucket/mykey`\n- `ref+s3://mybucket/myjsonobj#/foo/bar`\n- `ref+s3://mybucket/myyamlobj#/foo/bar`\n- `ref+s3://mybucket/mykey?region=us-west-2`\n- `ref+s3://mybucket/mykey?profile=prod`\n\n#### AWS KMS\n\n- `ref+awskms://BASE64CIPHERTEXT[?region=REGION\u0026profile=AWS_PROFILE\u0026role_arn=ASSUMED_ROLE_ARN\u0026alg=ENCRYPTION_ALGORITHM\u0026key=KEY_ID\u0026context=URL_ENCODED_JSON]`\n- `ref+awskms://BASE64CIPHERTEXT[?region=REGION\u0026profile=AWS_PROFILE\u0026role_arn=ASSUMED_ROLE_ARN\u0026alg=ENCRYPTION_ALGORITHM\u0026key=KEY_ID\u0026context=URL_ENCODED_JSON]#/yaml_or_json_key/in/secret`\n\nDecrypts the URL-safe base64-encoded ciphertext using AWS KMS. Note that URL-safe base64 encoding is\nthe same as \"traditional\" base64 encoding, except it uses `_` and `-` in place of `/` and `+`, respectively.\nFor example, to get a URL-safe base64-encoded ciphertext using the AWS CLI, you might run\n```\naws kms encrypt \\\n  --key-id alias/example \\\n  --plaintext $(echo -n \"hello, world\" | base64 -w0) \\\n  --query CiphertextBlob \\\n  --output text |\n  tr '/+' '_-'\n```\n\nValid values for `alg` include:\n* `SYMMETRIC_DEFAULT` (the default)\n* `RSAES_OAEP_SHA_1`\n* `RSAES_OAEP_SHA_256`\n\nValid value formats for `key` include:\n* A key id `1234abcd-12ab-34cd-56ef-1234567890ab`\n* A URL-encoded key id ARN: `arn%3Aaws%3Akms%3Aus-east-2%3A111122223333%3Akey%2F1234abcd-12ab-34cd-56ef-1234567890ab`\n* A URL-encoded key alias: `alias%2FExampleAlias`\n* A URL-encoded key alias ARN: `arn%3Aaws%3Akms%3Aus-east-2%3A111122223333%3Aalias%2FExampleAlias`\n\nFor ciphertext encrypted with a symmetric key, the `key` field may be omitted. For ciphertext\nencrypted with a key in your own account, a plain key id or alias can be used. If the encryption\nkey is from another AWS account, you must use the key or alias ARN.\n\nUse the `context` parameter to optionally specify the encryption context used when encrypting the\nciphertext. Format it by URL-encoding the JSON representation of the encryption context. For example,\nif the encryption context is `{\"foo\":\"bar\",\"hello\":\"world\"}`, then you would represent that as\n`context=%7B%22foo%22%3A%22bar%22%2C%22hello%22%2C%22world%22%7D`.\n\nExamples:\n- `ref+awskms://AQICAHhy_i8hQoGLOE46PVJyinH...WwHKT0i3H0znHRHwfyC7AGZ8ek=`\n- `ref+awskms://AQICAHhy...nHRHwfyC7AGZ8ek=#/foo/bar`\n- `ref+awskms://AQICAHhy...WwHKT0i3AGZ8ek=?context=%7B%22foo%22%3A%22bar%22%2C%22hello%22%2C%22world%22%7D`\n- `ref+awskms://AQICAVJyinH...WwHKT0iC7AGZ8ek=?alg=RSAES_OAEP_SHA1\u0026key=alias%2FExampleAlias`\n- `ref+awskms://AQICA...fyC7AGZ8ek=?alg=RSAES_OAEP_SHA256\u0026key=arn%3Aaws%3Akms%3Aus-east-2%3A111122223333%3Akey%2F1234abcd-12ab-34cd-56ef-1234567890ab\u0026context=%7B%22foo%22%3A%22bar%22%2C%22hello%22%2C%22world%22%7D`\n\n#### Google GCS\n- `ref+gcs://BUCKET/KEY/OF/OBJECT[?generation=ID]`\n- `ref+gcs://BUCKET/KEY/OF/OBJECT[?generation=ID]#/yaml_or_json_key/in/secret`\n\nExamples:\n\n- `ref+gcs://mybucket/mykey`\n- `ref+gcs://mybucket/myjsonobj#/foo/bar`\n- `ref+gcs://mybucket/myyamlobj#/foo/bar`\n- `ref+gcs://mybucket/mykey?generation=1639567476974625`\n\n### GCP Secrets Manager\n\n- `ref+gcpsecrets://PROJECT/SECRET[?version=VERSION]`\n- `ref+gcpsecrets://PROJECT/SECRET[?version=VERSION]#/yaml_or_json_key/in/secret`\n- `ref+gcpsecrets://PROJECT/SECRET[?version=VERSION][\u0026fallback=valuewhenkeyisnotfound][\u0026optional=true][\u0026trim_nl=true]#/yaml_or_json_key/in/secret`\n\nExamples:\n\n- `ref+gcpsecrets://myproject/mysecret`\n- `ref+gcpsecrets://myproject/mysecret?version=3`\n- `ref+gcpsecrets://myproject/mysecret?version=3#/yaml_or_json_key/in/secret`\n\n\u003e NOTE: Got an error like `expand gcpsecrets://project/secret-name?version=1: failed to get secret: rpc error: code = PermissionDenied desc = Request had insufficient authentication scopes.`?\n\u003e\n\u003e In some cases like you need to use an alternative credentials or project,\n\u003e you'll likely need to set `GOOGLE_APPLICATION_CREDENTIALS` and/or `GCP_PROJECT` envvars.\n\nIf `GCP_PROJECT` environment variable is set, the project name can be omitted from the URI, like:\n\n- `ref+gcpsecrets://mysecret`\n- `ref+gcpsecrets://mysecret?version=3`\n\n### GCP KMS\n\n- `ref+gkms://BASE64CIPHERTEXT?project=myproject\u0026location=global\u0026keyring=mykeyring\u0026crypto_key=mykey`\n- `ref+gkms://BASE64CIPHERTEXT?project=myproject\u0026location=global\u0026keyring=mykeyring\u0026crypto_key=mykey#/yaml_or_json_key/in/secret`\n\nDecrypts the URL-safe base64-encoded ciphertext using GCP KMS. Note that URL-safe base64 encoding is the same as \"traditional\" base64 encoding, except it uses _ and - in place of / and +, respectively. For example, to get a URL-safe base64-encoded ciphertext using the GCP CLI, you might run\n```\necho test | gcloud kms encrypt \\\n  --project myproject \\\n  --location global \\\n  --keyring mykeyring \\\n  --key mykey \\\n  --plaintext-file - \\\n  --ciphertext-file - \\\n  | base64 -w0 \\\n  | tr '/+' '_-'\n```\n\n### Google Sheets\n\n- `ref+googlesheets://SPREADSHEET_ID?credentials_file=credentials.json#/KEY`\n\nExamples:\n\n- `ref+googlesheets://foobarbaz?credentials_file=credentials.json#/MYENV1` authenticates Google Sheets API using the credentials.json file, retrieve KVs from the sheet wit the spreadsheet ID \"foobarbaz\", and retrieves the value for the key \"MYENV1\". The `credentials.json` can be either a serviceaccount json key file, or client credentials file. In case it's a client credentials file, vals initiates a WebAuth flow and prints the URL. You open the URL with a browser, authenticate yourself there, copy the resulting auth code, input the auth code to vals.\n\n### Terraform (tfstate)\n\n- `ref+tfstate://relative/path/to/some.tfstate/RESOURCE_NAME[?aws_profile=AWS_PROFILE]`\n- `ref+tfstate:///absolute/path/to/some.tfstate/RESOURCE_NAME[?aws_profile=AWS_PROFILE]`\n- `ref+tfstate://relative/path/to/some.tfstate/RESOURCE_NAME[?az_subscription_id=AZ_SUBSCRIPTION_ID]`\n- `ref+tfstate:///absolute/path/to/some.tfstate/RESOURCE_NAME[?az_subscription_id=AZ_SUBSCRIPTION_ID]`\n\nOptions:\n\n`aws_profile`: If non-empty, `vals` tries to let tfstate-lookup to use the specified AWS profile defined in the well-known `~/.credentials` file.\n`az_subscription_id`: If non-empty, `vals` tries to let tfstate-lookup to use the specified Azure Subscription ID.\n\nExamples:\n\n- `ref+tfstate://path/to/some.tfstate/aws_vpc.main.id`\n- `ref+tfstate://path/to/some.tfstate/module.mymodule.aws_vpc.main.id`\n- `ref+tfstate://path/to/some.tfstate/output.OUTPUT_NAME`\n- `ref+tfstate://path/to/some.tfstate/data.thetype.name.foo.bar`\n\nWhen you're using [terraform-aws-vpc](https://github.com/terraform-aws-modules/terraform-aws-vpc) to define a `module \"vpc\"` resource and you wanted to grab the first vpc ARN created by the module:\n\n```\n$ tfstate-lookup -s ./terraform.tfstate module.vpc.aws_vpc.this[0].arn\narn:aws:ec2:us-east-2:ACCOUNT_ID:vpc/vpc-0cb48a12e4df7ad4c\n\n$ echo 'foo: ref+tfstate://terraform.tfstate/module.vpc.aws_vpc.this[0].arn' | vals eval -f -\nfoo: arn:aws:ec2:us-east-2:ACCOUNT_ID:vpc/vpc-0cb48a12e4df7ad4c\n```\n\nYou can also grab a Terraform output by using `output.OUTPUT_NAME` like:\n\n```\n$ tfstate-lookup -s ./terraform.tfstate output.mystack_apply\n```\n\nwhich is equivalent to the following input for `vals`:\n\n```\n$ echo 'foo: ref+tfstate://terraform.tfstate/output.mystack_apply' | vals eval -f -\n```\n\nRemote backends like S3, GCS and AzureRM blob store are also supported. When a remote backend is used in your terraform workspace, there should be a local file at `./terraform/terraform.tfstate` that contains the reference to the backend:\n\n```\n{\n    \"version\": 3,\n    \"serial\": 1,\n    \"lineage\": \"f1ad69de-68b8-9fe5-7e87-0cb70d8572c8\",\n    \"backend\": {\n        \"type\": \"s3\",\n        \"config\": {\n            \"access_key\": null,\n            \"acl\": null,\n            \"assume_role_policy\": null,\n            \"bucket\": \"yourbucketnname\",\n```\n\nJust specify the path to that file, so that `vals` is able to transparently make the remote state contents available for you.\n\n### Terraform in GCS bucket (tfstategs)\n\n- `ref+tfstategs://bucket/path/to/some.tfstate/RESOURCE_NAME`\n\nExamples:\n\n- `ref+tfstategs://bucket/path/to/some.tfstate/google_compute_disk.instance.id`\n\nIt allows to use Terraform state stored in GCS bucket with the direct URL to it. You can try to read the state with command:\n\n```\n$ tfstate-lookup -s gs://bucket-with-terraform-state/terraform.tfstate google_compute_disk.instance.source_image_id\n5449927740744213880\n```\n\nwhich is equivalent to the following input for `vals`:\n\n```\n$ echo 'foo: ref+tfstategs://bucket-with-terraform-state/terraform.tfstate/google_compute_disk.instance.source_image_id' | vals eval -f -\n```\n\n### Terraform in S3 bucket (tfstates3)\n\n- `ref+tfstates3://bucket/path/to/some.tfstate/RESOURCE_NAME`\n\nExamples:\n\n- `ref+tfstates3://bucket/path/to/some.tfstate/aws_vpc.main.id`\n\nIt allows to use Terraform state stored in AWS S3 bucket with the direct URL to it. You can try to read the state with command:\n\n```\n$ tfstate-lookup -s s3://bucket-with-terraform-state/terraform.tfstate module.vpc.aws_vpc.this[0].arn\narn:aws:ec2:us-east-2:ACCOUNT_ID:vpc/vpc-0cb48a12e4df7ad4c\n```\n\nwhich is equivalent to the following input for `vals`:\n\n```\n$ echo 'foo: ref+tfstates3://bucket-with-terraform-state/terraform.tfstate/module.vpc.aws_vpc.this[0].arn' | vals eval -f -\n```\n### Terraform in AzureRM Blob storage (tfstateazurerm)\n\n- `ref+tfstateazurerm://{resource_group_name}/{storage_account_name}/{container_name}/{blob_name}.tfstate/RESOURCE_NAME[?az_subscription_id=SUBSCRIPTION_ID]`\n\nExamples:\n\n- `ref+tfstateazurerm://my_rg/my_storage_account/terraform-backend/unique.terraform.tfstate/output.virtual_network.name`\n- `ref+tfstateazurerm://my_rg/my_storage_account/terraform-backend/unique.terraform.tfstate/output.virtual_network.name?az_subscription_id=abcd-efgh-ijlk-mnop`\n\nIt allows to use Terraform state stored in Azure Blob storage given the resource group, storage account, container name and blob name. You can try to read the state with command:\n\n```\n$ tfstate-lookup -s azurerm://my_rg/my_storage_account/terraform-backend/unique.terraform.tfstate output.virtual_network.name\n```\n\nwhich is equivalent to the following input for `vals`:\n\n```\n$ echo 'foo: ref+tfstateazurerm://my_rg/my_storage_account/terraform-backend/unique.terraform.tfstate/output.virtual_network.name' | vals eval -f -\n```\n\n### Terraform in Terraform Cloud / Terraform Enterprise (tfstateremote)\n\n- `ref+tfstateremote://app.terraform.io/{org}/{myworkspace}/RESOURCE_NAME`\n\nExamples:\n\n- `ref+tfstateremote://app.terraform.io/myorg/myworkspace/output.virtual_network.name`\n\nIt allows to use Terraform state stored in Terraform Cloud / Terraform Enterprise given the resource group, the organization and the workspace. You can try to read the state with command (with exported variable `TFE_TOKEN`):\n\n```\n$ tfstate-lookup -s remote://app.terraform.io/myorg/myworkspace output.virtual_network.name\n```\n\nwhich is equivalent to the following input for `vals`:\n\n```\n$ echo 'foo: ref+tfstateremote://app.terraform.io/myorg/myworkspace/output.virtual_network.name' | vals eval -f -\n```\n\n### SOPS\n\n- The whole content of a SOPS-encrypted file: `ref+sops://base64_data_or_path_to_file?key_type=[filepath|base64]\u0026format=[binary|dotenv|yaml]`\n- The value for the specific path in an encrypted YAML/JSON document: `ref+sops://base64_data_or_path_to_file#/json_or_yaml_key/in/the_encrypted_doc`\n\nNote: When using an inline base64-encoded sops \"file\", be sure to use URL-safe Base64 encoding.\nURL-safe base64 encoding is the same as \"traditional\" base64 encoding, except it uses `_` and `-` in\nplace of `/` and `+`, respectively. For example, you might use the following command:\n`sops -e \u003c(echo \"foo\") | base64 -w0 | tr '/+' '_-'`\n\nExamples:\n\n- `ref+sops://path/to/file` reads `path/to/file` as `binary` input\n- `ref+sops://\u003cbase64\u003e?key_type=base64` reads `\u003cbase64\u003e` as the base64-encoded data to be decrypted by sops as `binary`\n- `ref+sops://path/to/file#/foo/bar` reads `path/to/file` as a `yaml` file and returns the value at `foo.bar`.\n- `ref+sops://path/to/file?format=json#/foo/bar` reads `path/to/file` as a `json` file and returns the value at `foo.bar`.\n\n### Keychain\n\nKeychain provider is going to be available on macOS only. It reads a secret from the macOS Keychain.\n\n- `ref+keychain://KEY1/[#/path/to/the/value]`\n\nExamples:\n\n- `security add-generic-password -U -a ${USER} -s \"secret-name\" -D \"vals-secret\" -w '{\"foo\":{\"bar\":\"baz\"}}'` - will create a secret in the Keychain with the name `secret-name` and the value `{\"foo\":{\"bar\":\"baz\"}}`, `vals-secret` is required to be able to find the secret in the Keychain.\n- `echo 'foo: ref+keychain://secret-name' | vals eval -f -` - will read the secret from the Keychain with the name `secret-name` and replace the `foo` with the secret value.\n- `echo 'foo: ref+keychain://secret-name#/foo/bar' | vals eval -f -` - will read the secret from the Keychain with the name `secret-name` and replace the `foo` with the value at the path `$.foo.bar`.\n\n### Echo\n\nEcho provider echoes the string for testing purpose. Please read [the original proposal](https://github.com/roboll/helmfile/pull/920#issuecomment-548213738) to get why we might need this.\n\n- `ref+echo://KEY1/KEY2/VALUE[#/path/to/the/value]`\n\nExamples:\n\n- `ref+echo://foo/bar` generates `foo/bar`\n- `ref+echo://foo/bar/baz#/foo/bar` generates `baz`. This works by the host and the path part `foo/bar/baz` generating an object `{\"foo\":{\"bar\":\"baz\"}}` and the fragment part `#/foo/bar` results in digging the object to obtain the value at `$.foo.bar`.\n\n### File\n\nFile provider reads a local text file, or the value for the specific path in a YAML/JSON file.\n\n- `ref+file://relative/path/to/file[#/path/to/the/value]`\n- `ref+file:///absolute/path/to/file[#/path/to/the/value]`\n\nExamples:\n\n- `ref+file://foo/bar` loads the file at `foo/bar`\n- `ref+file:///home/foo/bar` loads the file at `/home/foo/bar`\n- `ref+file://foo/bar?encode=base64` loads the file at `foo/bar` and encodes its content to a base64 string\n- `ref+file://some.yaml#/foo/bar` loads the YAML file at `some.yaml` and reads the value for the path `$.foo.bar`.\n  Let's say `some.yaml` contains `{\"foo\":{\"bar\":\"BAR\"}}`, `key1: ref+file://some.yaml#/foo/bar` results in `key1: BAR`.\n\n### Exec\n\nExec provider executes an arbitrary CLI command and uses its stdout as the secret value. This enables integration with any secrets backend that has a CLI tool, without needing a dedicated provider.\n\n- `ref+exec://COMMAND[/ARG1/ARG2][?args=EXTRA1,EXTRA2\u0026timeout=30\u0026trim=true\u0026env_KEY=VALUE][#/json/path]`\n\nThe command name is taken from the URI host, and path segments become positional arguments. Additional comma-separated arguments can be appended via the `args` query parameter. The command is executed directly (no shell invocation) for security.\n\nParameters:\n\n| Parameter | Description | Default |\n|---|---|---|\n| `args` | Additional comma-separated arguments appended after path args | (none) |\n| `timeout` | Execution timeout in seconds | `30` |\n| `trim` | Trim trailing whitespace from stdout | `true` |\n| `env_KEY` | Set environment variable `KEY` for the child process | (none) |\n\nExamples:\n\n- `ref+exec://echo/hello` — runs `echo hello`, returns `hello`\n- `ref+exec://bw/get/password/item-id` — runs `bw get password item-id`\n- `ref+exec://my-script.sh?args=--key,my-secret` — runs `my-script.sh --key my-secret`\n- `ref+exec://vault-helper.sh?args=read,secret/db#/password` — runs the command, parses JSON/YAML output, and extracts `$.password`\n- `ref+exec:///usr/local/bin/my-tool?args=fetch,key1` — absolute path command\n- `ref+exec://my-tool?env_API_TOKEN=xyz\u0026timeout=10` — sets env var `API_TOKEN=xyz` with 10s timeout\n\n### Azure Key Vault\n\nRetrieve secrets from Azure Key Vault. Path is used to specify the vault and secret name. Optionally a specific secret version can be retrieved.\n\n- `ref+azurekeyvault://VAULT-NAME/SECRET-NAME[/VERSION]`\n\nVAULT-NAME is either a simple name if operating in AzureCloud (vault.azure.net) or the full endpoint dns name when operating against non-default azure clouds (US Gov Cloud, China Cloud, German Cloud).\nExamples:\n- `ref+azurekeyvault://my-vault/secret-a`\n- `ref+azurekeyvault://my-vault/secret-a/ba4f196b15f644cd9e949896a21bab0d`\n- `ref+azurekeyvault://gov-cloud-test.vault.usgovcloudapi.net/secret-b`\n\n#### Authentication\n\nVals acquires Azure credentials via the [azidentity Go module](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity).\n\nBy default, the following authentication types will be tried and the first one that works will be used:\n\n1. [Environment Variables](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#EnvironmentCredential)\n1. [Workload Identity](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#WorkloadIdentityCredential)\n1. [Managed Identity](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#ManagedIdentityCredential)\n1. [Azure CLI](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#AzureCLICredential)\n1. [Azure Developer CLI](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#AzureDeveloperCLICredential)\n\nIn practice, the simplest way to authenticate is to log into the Azure CLI using an account that has access to read secrets from the Key Vault in question.\n\nIn case you are running in an environment that has multiple authentication types configured at once (and you need to use one that is lower on the list above), you can choose a specific one to use by setting the environment variable `AZKV_AUTH` to to one of the following values.\n\n- Default Behavior: `default` (or unset)\n- Workload Identity: `workload`\n- Managed Identity: `managed`\n- Azure CLI: `cli`\n- Azure Developer CLI: `devcli`\n\n### EnvSubst\n\nEnvironment variables substitution.\n\n- `ref+envsubst://$VAR1`\n\nExamples:\n\n- `ref+envsubst://$VAR1` loads environment variables `$VAR1`\n\n### GitLab Secrets\n\nFor this provider to work you require an [access token](https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html) exported as the environment variable `GITLAB_TOKEN`.\n\n- `ref+gitlab://my-gitlab-server.com/[projects/|groups/]id/secret_name?[ssl_verify=false\u0026scheme=https\u0026api_version=v4]`\n\n* `Project variables`\n\nFetches a CI/CD variable `password` from a `project`. Both forms are equivalent:\n\n- `ref+gitlab://gitlab.com/11111/password`\n- `ref+gitlab://gitlab.com/projects/11111/password`\n\n* `Group variables`\n\nFetches a CI/CD variable `password` from a `group`:\n\n- `ref+gitlab://gitlab.com/groups/2222/password`\n\nExamples:\n\n- `ref+gitlab://gitlab.com/11111/password`\n- `ref+gitlab://gitlab.com/projects/11111/password`\n- `ref+gitlab://gitlab.com/groups/2222/password`\n- `ref+gitlab://my-gitlab.org/11111/password?ssl_verify=true\u0026scheme=https`\n\n### 1Password\n\nFor this provider to work a working [service account token](https://developer.1password.com/docs/service-accounts/get-started/) is required.\nThe following env var has to be configured:\n- `OP_SERVICE_ACCOUNT_TOKEN`\n\n1Password is organized in vaults and items.\nAn item can have multiple fields with or without a section. Labels can be set on fields and sections.\nVaults, items, sections and labels can be accessed by ID or by label/name (and IDs and labels can be mixed and matched in one URL).\n\nIf a section does not have a label the field is only accessible via the section ID. This does not hold true for some default fields which may have no section at all (e.g.username and password for a `Login` item).\n\nSee [Secret reference syntax](https://developer.1password.com/docs/cli/secrets-reference-syntax/) for more information.\n\n*Caution: vals-expressions are parsed as URIs. For the 1Password provider the host component of the URI identifies the vault. Therefore vaults containing certain characters not allowed in the host component (e.g. whitespaces, see [RFC-3986](https://www.rfc-editor.org/rfc/rfc3986#section-3.2.2) for details) can only be accessed by ID.*\n\nExamples:\n\n- `ref+op://VAULT_NAME/ITEM_NAME/FIELD_NAME`\n- `ref+op://VAULT_ID/ITEM_NAME/FIELD_NAME`\n- `ref+op://VAULT_NAME/ITEM_NAME/[SECTION_NAME/]FIELD_NAME`\n\n### 1Password Connect\n\nFor this provider to work you require a working and accessible [1Password connect server](https://developer.1password.com/docs/connect).\nThe following env vars have to be configured:\n- `OP_CONNECT_HOST`\n- `OP_CONNET_TOKEN`\n\n1Password is organized in vaults and items.\nAn item can have multiple fields with or without a section. Labels can be set on fields and sections.\nVaults, items, sections and labels can be accessed by ID or by label/name (and IDs and labels can be mixed and matched in one URL).\n\nIf a section does not have a label the field is only accessible via the section ID. This does not hold true for some default fields which may have no section at all (e.g.username and password for a `Login` item).\n\n*Caution: vals-expressions are parsed as URIs. For the 1Password connect provider the host component of the URI identifies the vault (by ID or name). Therefore vaults containing certain characters not allowed in the host component (e.g. whitespaces, see [RFC-3986](https://www.rfc-editor.org/rfc/rfc3986#section-3.2.2) for details) can only be accessed by ID.*\n\nExamples:\n\n- `ref+onepasswordconnect://VAULT_ID/ITEM_ID#/[SECTION_ID.]FIELD_ID`\n- `ref+onepasswordconnect://VAULT_LABEL/ITEM_LABEL#/[SECTION_LABEL.]FIELD_LABEL`\n- `ref+onepasswordconnect://VAULT_LABEL/ITEM_ID#/[SECTION_LABEL.]FIELD_ID`\n\n### Doppler\n\n- `ref+doppler://PROJECT/ENVIRONMENT/SECRET_KEY[?token=dp.XX.XXXXXX\u0026address=https://api.doppler.com\u0026no_verify_tls=false\u0026include_doppler_defaults=false]`\n\n* `PROJECT` can be absent if the Token is a `Service Token` for that project. It can be set via `DOPPLER_PROJECT` envvar. See [Doppler docs](https://docs.doppler.com/docs/enclave-service-tokens) for more information.\n* `ENVIRONMENT` (aka: \"Config\") can be absent if the Token is a `Service Token` for that project. It can be set via `DOPPLER_ENVIRONMENT` envvar. See [Doppler docs](https://docs.doppler.com/docs/enclave-service-tokens) for more information.\n* `SECRET_KEY` can be absent and it will fetch all secrets for the project/environment.\n* `token` defaults to the value of the `DOPPLER_TOKEN` envvar.\n* `address` defaults to the value of the `DOPPLER_API_ADDR` envvar, if unset: `https://api.doppler.com`.\n* `no_verify_tls` default `false`.\n* `include_doppler_defaults` defaults to `false`, if set to `true` it will include the Doppler defaults for the project/environment (DOPPLER_ENVIRONMENT, DOPPLER_PROJECT and DOPPLER_CONFIG). It only works when `SECRET_KEY` is absent.\n\nExamples:\n\n(DOPPLER_TOKEN set as environment variable)\n\n- `ref+doppler:////` fetches all secrets for the project/environment when using a Service Token.\n- `ref+doppler:////FOO` fetches the value of secret with name `FOO` for the project/environment when using a Service Token.\n- `ref+doppler://#FOO` fetches the value of secret with name `FOO` for the project/environment when using a Service Token.\n- `ref+doppler://MyProject/development/DB_PASSWORD` fetches the value of secret with name `DB_PASSWORD` for the project named `MyProject` and environment named `development`.\n- `ref+doppler://MyProject/development/#DB_PASSWORD` fetches the value of secret with name `DB_PASSWORD` for the project named `MyProject` and environment named `development`.\n\n### Pulumi State\n\nObtain value in state pulled from Pulumi Cloud REST API:\n\n- `ref+pulumistateapi://RESOURCE_TYPE/RESOURCE_LOGICAL_NAME/ATTRIBUTE_TYPE/ATTRIBUTE_KEY_PATH?project=PROJECT\u0026stack=STACK`\n\n* `RESOURCE_TYPE` is a Pulumi [resource type](https://www.pulumi.com/docs/concepts/resources/names/#types) of the form `\u003cpackage\u003e:\u003cmodule\u003e:\u003ctype\u003e`, where forward slashes (`/`) are replaced by a double underscore (`__`) and colons (`:`) are replaced by a single underscore (`_`). For example `aws:s3:Bucket` would be encoded as `aws__s3__Bucket` and `kubernetes:storage.k8s.io/v1:StorageClass` would be encoded as `kubernetes_storage.k8s.io__v1_StorageClass`. To read Pulumi stack outputs, set the resource type to `pulumi_pulumi_Stack`.\n* `RESOURCE_LOGICAL_NAME` is the [logical name](https://www.pulumi.com/docs/concepts/resources/names/#logicalname) of the resource in the Pulumi program. To read Pulumi stack outputs, set this to the project name followed by a hyphen, then the stack name.\n* `ATTRIBUTE_TYPE` is either `outputs` or `inputs`.\n* `ATTRIBUTE_KEY_PATH` is a [GJSON](https://github.com/tidwall/gjson/blob/master/SYNTAX.md) expression that selects the desired attribute from the resource's inputs or outputs per the chosen `ATTRIBUTE_TYPE` value. You must encode any characters that would otherwise not comply with URI syntax, for example `#` becomes `%23`.\n* `project` is the Pulumi project name. May also be provided via the `PULUMI_PROJECT` environment variable.\n* `stack` is the Pulumi stack name. May also be provided via the `PULUMI_STACK` environment variable.\n\nEnvironment variables:\n\n- `PULUMI_API_ENDPOINT_URL` is the Pulumi API endpoint URL. Defaults to `https://api.pulumi.com`. You may also provide this as the `pulumi_api_endpoint_url` query parameter.\n- `PULUMI_ACCESS_TOKEN` is the Pulumi access token to use for authentication.\n- `PULUMI_ORGANIZATION` is the Pulumi organization to use for authentication. You may also provide this as an `organization` query parameter.\n- `PULUMI_PROJECT` is the Pulumi project. You may also provide this as a `project` query parameter.\n- `PULUMI_STACK` is the Pulumi stack. You may also provide this as a `stack` query parameter.\n\nExamples:\n\n- `ref+pulumistateapi://aws-native_s3_Bucket/my-bucket/outputs/bucketName?project=my-project\u0026stack=my-stack`\n- `ref+pulumistateapi://aws-native_s3_Bucket/my-bucket/outputs/tags.%23(key==SomeKey).value?project=my-project\u0026stack=my-stack`\n- `ref+pulumistateapi://kubernetes_storage.k8s.io__v1_StorageClass/gp2-encrypted/inputs/metadata.name?project=my-project\u0026stack=my-stack`\n- `ref+pulumistateapi://pulumi_pulumi_Stack/project-name-stack-name/outputs/output-name?project=my-project\u0026stack=my-stack`\n\n### Kubernetes\n\nFetch value from Kubernetes:\n\n- `ref+k8s://API_VERSION/KIND/NAMESPACE/NAME/KEY[?kubeConfigPath=\u003cpath_to_kubeconfig\u003e\u0026kubeContext=\u003ckubernetes context name\u003e\u0026inCluster]`\n\nAuthentication to the Kubernetes cluster is done by referencing the local kubeconfig file or in-cluster config.\nThe path to the kubeconfig can be specified as a URI parameter, read from the `KUBECONFIG` environment variable or the provider will attempt to read `$HOME/.kube/config`.\nThe Kubernetes context can be specified as a URI parameteter.\nIf `?inCluster` is passed in the URI, ensure the pod running the `vals`command has the appropriate RBAC permissions to access the ConfigMap/Secret.\n\nEnvironment variables:\n\n- `KUBECONFIG` contains the path to the Kubeconfig that will be used to fetch the secret.\n\nExamples:\n\n- `ref+k8s://v1/Secret/mynamespace/mysecret/foo`\n- `ref+k8s://v1/ConfigMap/mynamespace/myconfigmap/foo`\n- `ref+k8s://v1/Secret/mynamespace/mysecret/bar?kubeConfigPath=/home/user/kubeconfig`\n- `ref+k8s://v1/Secret/mynamespace/mysecret/foo?inCluster`\n- `secretref+k8s://v1/Secret/mynamespace/mysecret/baz`\n- `secretref+k8s://v1/Secret/mynamespace/mysecret/baz?kubeContext=minikube`\n\n\u003e NOTE: This provider only supports kind \"Secret\" or \"ConfigMap\" in apiVersion \"v1\" at this time.\n\n### Conjur\n\nThis provider retrieves the value of secrets stored in [Conjur](https://www.conjur.org/).\nIt's based on the https://github.com/cyberark/conjur-api-go lib.\n\nThe following env vars have to be configured:\n- `CONJUR_APPLIANCE_URL`\n- `CONJUR_ACCOUNT`\n- `CONJUR_AUTHN_LOGIN`\n- `CONJUR_AUTHN_API_KEY`\n\n- `ref+conjur://PATH/TO/VARIABLE/CONJUR_SECRET_ID[?address=CONJUR_APPLIANCE_URL\u0026account=CONJUR_ACCOUNT\u0026login=CONJUR_AUTHN_LOGIN\u0026apikey=CONJUR_AUTHN_API_KEY]`\n\nExample:\n\n- `ref+conjur://branch/variable_name`\n\n### HCP Vault Secrets\n\nThis provider retrieves the value of secrets stored in [HCP Vault Secrets](https://developer.hashicorp.com/hcp/docs/vault-secrets).\n\nIt is based on the [HashiCorp Cloud Platform Go SDK](https://github.com/hashicorp/hcp-sdk-go) lib.\n\nEnvironment variables:\n\n- `HCP_CLIENT_ID`: The service principal Client ID for the HashiCorp Cloud Platform.\n- `HCP_CLIENT_SECRET`: The service principal Client Secret for the HashiCorp Cloud Platform.\n- `HCP_ORGANIZATION_ID`: (Optional) The organization ID for the HashiCorp Cloud Platform. It can be omitted. If \"Organization Name\" is set, it will be used to fetch the organization ID, otherwise the organization ID will be set to the first organization ID found.\n- `HCP_ORGANIZATION_NAME`: (Optional) The organization name for the HashiCorp Cloud Platform to fetch the organization ID.\n- `HCP_PROJECT_ID`: (Optional) The project ID for the HashiCorp Cloud Platform. It can be omitted. If \"Project Name\" is set, it will be used to fetch the project ID, otherwise the project ID will be set to the first project ID found in the provided organization.\n- `HCP_PROJECT_NAME`: (Optional) The project name for the HashiCorp Cloud Platform to fetch the project ID.\n\nParameters:\n\nParameters are optional and can be passed as query parameters in the URI, taking precedence over environment variables.\n\n- `client_id`: The service principal Client ID for the HashiCorp Cloud Platform.\n- `client_secret`: The service principal Client Secret for the HashiCorp Cloud Platform.\n- `organization_id`: The organization ID for the HashiCorp Cloud Platform. It can be omitted. If \"Organization Name\" is set, it will be used to fetch the organization ID, otherwise the organization ID will be set to the first organization ID found.\n- `organization_name`: The organization name for the HashiCorp Cloud Platform to fetch the organization ID.\n- `project_id`: The project ID for the HashiCorp Cloud Platform. It can be omitted. If \"Project Name\" is set, it will be used to fetch the project ID, otherwise the project ID will be set to the first project ID found in the provided organization.\n- `project_name`: The project name for the HashiCorp Cloud Platform to fetch the project ID.\n- `version`: The version digit of the secret to fetch. If omitted or fail to parse, the latest version will be fetched.\n\nExample:\n\n`ref+hcpvaultsecrets://APPLICATION_NAME/SECRET_NAME[?client_id=HCP_CLIENT_ID\u0026client_secret=HCP_CLIENT_SECRET\u0026organization_id=HCP_ORGANIZATION_ID\u0026organization_name=HCP_ORGANIZATION_NAME\u0026project_id=HCP_PROJECT_ID\u0026project_name=HCP_PROJECT_NAME\u0026version=2]`\n\n\n### Bitwarden\nThis provider retrieves the secrets stored in Bitwarden. It uses the [Bitwarden Vault-Management API](https://bitwarden.com/help/vault-management-api/) that is included in the [Bitwarden CLI](https://github.com/bitwarden/clients) by executing `bw serve`.\n\nEnvironment variables:\n\n- `BW_API_ADDR`: The Bitwarden Vault Management API service address, defaults to http://localhost:8087\n\nParameters:\n\nParameters are optional and can be passed as query parameters in the URI, taking precedence over environment variables.\n\n* `address` defaults to the value of the `BW_API_ADDR` envvar.\n\nExamples:\n\n- `ref+bw://4d084b01-87e7-4411-8de9-2476ab9f3f48` gets the password of the item id\n- `ref+bw://4d084b01-87e7-4411-8de9-2476ab9f3f48/password` gets the password of the item id\n- `ref+bw://4d084b01-87e7-4411-8de9-2476ab9f3f48/{username,password,uri,notes,item}` gets username, password, uri, notes or the whole item of the given item id\n- `ref+bw://4d084b01-87e7-4411-8de9-2476ab9f3f48/notes#/key1` gets the *key1* from the yaml stored as note in the item\n\n### Yandex Cloud Lockbox\n\nRetrieve secrets from [Yandex Cloud Lockbox](https://yandex.cloud/en/docs/lockbox/). Path is used to specify secret ID. Optionally a specific secret version can be retrieved (using current version by default). If fragment is specified, retrieves a specific key from the secret.\n\n- `ref+yclockbox://SECRET_ID[?version_id=VERSION][#KEY]`\n\nExamples:\n\n- `ref+yclockbox://e6qeoqvd88dcpf044n5i` - get whole secret `e6qeoqvd88dcpf044n5i` from the current version\n- `ref+yclockbox://e6qeoqvd88dcpf044n5i?version_id=e6qn22seoaprg9cbe1dj` - get whole secret `e6qeoqvd88dcpf044n5i` from the `e6qn22seoaprg9cbe1dj` version\n- `ref+yclockbox://e6qeoqvd88dcpf044n5i?version_id=e6qn22seoaprg9cbe1dj#oauth_secret` - get secret entry from the `oauth_secret` key of `e6qn22seoaprg9cbe1dj` version of `e6qeoqvd88dcpf044n5i` secret\n- `ref+yclockbox://e6qeoqvd88dcpf044n5i#oauth_secret` - get secret entry from the `oauth_secret` key of current version of `e6qeoqvd88dcpf044n5i` secret\n\n#### Authentication\n\nVals aquires Yandex Cloud IAM token from the `YC_TOKEN` environment variable. The easiest way to get it is to run `yc iam create-token`. See [Yandex Cloud Lockbox docs](https://yandex.cloud/en/docs/lockbox/api-ref/authentication) for more details on authentication\n\nTo override the Yandex Cloud API endpoint used by the Lockbox provider (for example, when using regional endpoints like `api.yandexcloud.kz:443`), set the `YC_LOCKBOX_ENDPOINT` environment variable:\n\n```sh\nexport YC_TOKEN=\"$(yc iam create-token)\"\nexport YC_LOCKBOX_ENDPOINT=\"api.yandexcloud.kz:443\"\nvals get 'ref+yclockbox://SECRET_ID'\n```\n\n### HTTP JSON\n\nThis provider retrieves values stored in JSON hosted by a HTTP frontend.\n\nThis provider is built on top of [jsonquery](https://pkg.go.dev/github.com/antchfx/jsonquery@v1.3.3) and [xpath](https://pkg.go.dev/github.com/antchfx/xpath@v1.2.3) packages.\n\nGiven the diverse array of JSON structures that can be encountered, utilizing jsonquery with XPath presents a more effective approach for handling this variability in data structures.\n\nThis provider requires an xpath to be provided.\n\nDo not include the protocol scheme i.e. http/https. Provider defaults to scheme https (http is available, see below)\n\nExamples:\n\n#### Fetch string value\n\n`ref+httpjson://\u003cdomain\u003e/\u003cpath\u003e?[insecure=false\u0026floatAsInt=false]#/\u003cxpath\u003e`\n\nLet's say you want to fetch the below JSON object from https://api.github.com/users/helmfile/repos:\n```json\n[\n    {\n        \"name\": \"chartify\"\n    },\n    {\n        \"name\": \"go-yaml\"\n    }\n]\n```\n```\n# To get name=\"chartify\" using https protocol you would use:\nref+httpjson://api.github.com/users/helmfile/repos#///*[1]/name\n\n# To get name=\"go-yaml\" using https protocol you would use:\nref+httpjson://api.github.com/users/helmfile/repos#///*[2]/name\n\n# To get name=\"go-yaml\" using http protocol you would use:\nref+httpjson://api.github.com/users/helmfile/repos?insecure=true#///*[2]/\n```\n\n#### Fetch integer value\n\n`ref+httpjson://\u003cdomain\u003e/\u003cpath\u003e?[insecure=false\u0026floatAsInt=false]#/\u003cxpath\u003e`\n\nLet's say you want to fetch the below JSON object from https://api.github.com/users/helmfile/repos:\n```json\n[\n    {\n        \"id\": 251296379\n    }\n]\n```\n```\n# Running the following will return: 2.51296379e+08\nref+httpjson://api.github.com/users/helmfile/repos#///*[1]/id\n\n# Running the following will return: 251296379\nref+httpjson://api.github.com/users/helmfile/repos?floatAsInt=true#///*[1]/id\n```\n\n### Servercore secret manager\n\nRetrieve secrets from Servercore Secrets Manager. The path identifies the secret. If a fragment is specified, the provider returns a specific key from the decoded secret.\n\nAuthentication:\n\nSet the following environment variables:\n\n- `SERVERCORE_USERNAME`\n- `SERVERCORE_PASSWORD`\n- `SERVERCORE_ACCOUNT_ID`\n- `SERVERCORE_PROJECT_NAME`\n\nURI formats:\n\n- `ref+servercore://SECRET_NAME`\n  Returns the secret value as a string.\n- `ref+servercore://SECRET_NAME#/key/in/secret`\n  Parses the decoded secret as JSON (with YAML as a fallback) and returns the value at the leaf key path.\n\nNotes:\n- The provider expects the Servercore API to return a base64-encoded string in the `version.value` field. After decoding, the provider attempts JSON parsing, and if that fails, YAML.\n- API reference: [Servercore Secrets API](https://docs.servercore.com/api/secrets-manager-secrets/).\n\n### Scaleway\nThis provider allows retrieval of secrets from [Scaleway Secret Manager](https://www.scaleway.com/en/docs/secret-manager/) using the [Scaleway Go SDK](https://github.com/scaleway/scaleway-sdk-go). For authentication, it uses the environment variables `SCW_PROJECT_ID` (defaults to `SCW_DEFAULT_PROJECT_ID` if unset), `SCW_REGION` (defaults to `SCW_DEFAULT_REGION` if unset), `SCW_ACCESS_KEY`, and `SCW_SECRET_KEY`. You can reference secrets in your config using the `ref+scw://` URI scheme.\n\nExamples:\n\n- `ref+scw:///path/to/secret` retrieves the value of an Opaque secret at the specified path.\n- `ref+scw:///path/to/secret#key` retrieves the value for a specific key in a JSON secret at the specified path.\n\n### Infisical\n\nThis provider allows retrieval of secrets from [Infisical](https://infisical.com) (either the SaaS or a self-deployment) using the [Infisical Go SDK](https://github.com/infisical/go-sdk).\n\nEnvironment variables:\n\n- `INFISICAL_URL`: the Infisical instance URL, defaults to the SaaS (`https://app.infisical.com`).\n- `INFISICAL_AUTH_METHOD` (required): the authentication method, one of: `UNIVERSAL_AUTH`, `KUBERNETES`, `AWS_IAM`, `AZURE`, `GCP_IAM`, `GCP_ID_TOKEN`.\n\nParameters:\n\n- `project` or `project_id` (required): the project slug or ID, respectively, where the secret lives in.\n- `environment` (required): the slug name (`dev`, `prod`, etc) of the environment from where the secret should be fetched.\n- `path`: the path from where the secret should be fetched.\n- `type`: the type of the secret. Valid options are `shared` (default) or `personal`.\n- `version`: the version of the secret to retrieve.\n\nExamples:\n\n- `ref+infisical://WEBHOOK_URL?project=infrastructure-hue8\u0026path=prometheus\u0026environment=prod`: gets the secret at \"infrastructure-hue8\" (project slug) -\u003e \"prometheus\" (folder) -\u003e \"WEBHOOK_URL\" (secret) -\u003e \"prod\" (environment).\n- `ref+infisical://POSTGRES_PASSWORD?project_id=c2f75015-37b7-40b6-8412-2523ddfea5ed\u0026environment=dev`: gets the secret at \"c2f75015-37b7-40b6-8412-2523ddfea5ed\" (project ID) -\u003e \"POSTGRES_PASSWORD\" (secret) -\u003e \"dev\" (environment).\n\n#### Authentication\n\nThese are the supported authentication methods. Please, read [the SDK docs](https://infisical.com/docs/sdks/languages/go#authentication) for more information.\n\nDepending on which one is chosen with the `INFISICAL_AUTH_METHOD` environment variable, the following environment variables must also be provided.\n\n- **Universal**: `UNIVERSAL_AUTH`\n  - `INFISICAL_UNIVERSAL_AUTH_CLIENT_ID`: your machine identity client ID.\n  - `INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET`: your machine identity client secret.\n- **Kubernetes**: `KUBERNETES`\n  - `INFISICAL_KUBERNETES_IDENTITY_ID`: your Infisical Machine Identity ID.\n  - `INFISICAL_KUBERNETES_SERVICE_ACCOUNT_TOKEN_PATH`: the environment variable name that contains the path to the service account token (defaults to: `/var/run/secrets/kubernetes.io/serviceaccount/token`).\n- **AWS IAM**: `AWS_IAM`\n  - `INFISICAL_AWS_IAM_AUTH_IDENTITY_ID`: your Infisical Machine Identity ID.\n- **Azure**: `AZURE`\n  - `INFISICAL_AZURE_AUTH_IDENTITY_ID`: your Infisical Machine Identity ID.\n- **GCP IAM**: `GCP_IAM`\n  - `INFISICAL_GCP_IAM_AUTH_IDENTITY_ID`: your Infisical Machine Identity ID.\n  - `INFISICAL_GCP_IAM_SERVICE_ACCOUNT_KEY_FILE_PATH`: the path to your GCP service account key file.\n- **GCP ID Token**: `GCP_ID_TOKEN`\n  - `INFISICAL_GCP_AUTH_IDENTITY_ID`: your Infisical Machine Identity ID.\n\n### SecretServer\n\nThis provider allows retrieval of secrets from [Delinea SecretSever](https://delinea.com/products/secret-server) using their [REST API](https://docs.delinea.com/online-help/secret-server/api-scripting/rest-api/index.htm)\n\n#### Configuration\n\nFor on-prem instances set `TSS_SERVER_URL`. For cloud use set `TSS_TLD` to the top level domain and `TSS_TENANT` to your tenant id. If `TSS_SERVER_URL` is set other connection variables are ignored.\n\n#### Authentication\n\nAuthentication is done via environment variables:\n\n- `TSS_USERNAME`: username to authenticate with\n- `TSS_PASSWORD`: password to authenticate with\n- `TSS_DOMAIN`: optional domain for the user\n\nAlternatively you can provide an OAuth token directly via `TSS_TOKEN`. If you do all other authentication environment variables are ignored.\n\n#### Parameters\n\nYou can disable ssl certificate verification by setting `ssl_verify=false` in the URLs\nquery.\n\n#### Examples\n\n- `ref+tss://12345#/password`: gets the `password` field of the secret with id `12345`\n- `ref+tss://secret-name/password`: gets the `password` field of the secret with the name `secret-name`. The name has to uniquely identify the secret\n\n\n#### Limitations\n\nThe content of file fields, like certificates can't be retrieved. They will be replaced with the string `*** Not Valid For Display ***`.\n\n## Advanced Usages\n\n### Discriminating config and secrets\n\n`vals` has an advanced feature that helps you to do GitOps.\n\n`GitOps` is a good practice that helps you to review how your change would affect the production environment.\n\nTo best leverage GitOps, it is important to remove dynamic aspects of your config before reviewing.\n\nOn the other hand, `vals`'s primary purpose is to defer retrieval of values until the time of deployment, so that we won't accidentally git-commit secrets. The flip-side of this is, obviously, that you can't review the values themselves.\n\nUsing `ref+\u003cvalue uri\u003e` and `secretref+\u003cvalue uri\u003e` in combination with `vals eval --exclude-secret` helps it.\n\nBy using the `secretref+\u003curi\u003e` notation, you tell `vals` that it is a secret and regular `ref+\u003curi\u003e` instances are for config values.\n\n```yaml\nmyconfigvalue: ref+awsssm://myconfig/value\nmysecretvalue: secretref+awssecrets://mysecret/value\n```\n\nTo leverage `GitOps` most by allowing you to review the content of `ref+awsssm://myconfig/value` only, you run `vals eval --exclude-secret` to generate the following:\n\n```yaml\nmyconfigvalue: MYCONFIG_VALUE\nmysecretvalue: secretref+awssecrets://mysecret/value\n```\n\nThis is safe to be committed into git because, as you've told to `vals`, `awsssm://myconfig/value` is a config value that can be shared publicly.\n\n## Non-Goals\n\n### Complex String-Interpolation / Template Functions\n\nIn the early days of this project, the original author has investigated if it was a good idea to introduce string interpolation like feature to vals:\n\n```\nfoo: xx${{ref \"ref+vault://127.0.0.1:8200/mykv/foo?proto=http#/mykey\" }}\nbar:\n  baz: yy${{ref \"ref+vault://127.0.0.1:8200/mykv/foo?proto=http#/mykey\" }}\n```\n\nBut the idea had abandoned due to that it seemed to drive the momentum to vals being a full-fledged YAML templating engine. What if some users started wanting to use `vals` for transforming values with functions?\nThat's not the business of vals.\n\nInstead, use vals solely for composing sets of values that are then input to another templating engine or data manipulation language like Jsonnet and CUE.\n\nNote though, `vals` does have support for simple string interpolation like usage. See [Expression Syntax](#expression-syntax) for more information.\n\n### Merge\n\nMerging YAMLs is out of the scope of `vals`. There're better alternatives like Jsonnet, Sprig, and CUE for the job.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhelmfile%2Fvals","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhelmfile%2Fvals","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhelmfile%2Fvals/lists"}