Skip to content
Latchkey

teller run: Inject Multi-Provider Secrets

teller run reads the providers listed in .teller.yml, gathers their secrets into the environment, and executes the command after --.

Teller is a provider-agnostic secrets tool: one .teller.yml can pull from AWS SSM, GCP, Vault, and more. teller run injects the merged set into a process for CI use.

What it does

teller run reads the provider definitions in .teller.yml (or the file named by TELLER_FILE), fetches each mapped secret, sets them as environment variables, and runs the given command with that environment.

Common usage

Terminal
teller run -- ./deploy.sh
# reset the child env so only teller-provided vars are present
teller run --reset -- node server.js
TELLER_FILE=.teller.ci.yml teller run -- make test

Options

FlagWhat it does
-- <command>Command to run with secrets injected
--resetClear the inherited environment before injecting
-c, --config <file>Path to the teller config (default .teller.yml)
TELLER_FILEEnv var naming an alternate config file

In CI

Keep .teller.yml in the repo (it holds paths, not secrets) and let each provider authenticate from the runner environment, for example AWS creds via OIDC. Use a CI-specific config with TELLER_FILE when the providers differ from local development.

Common errors in CI

A provider error like "could not fetch ... AccessDenied" means the runner lacks credentials for that backend; wire up the provider auth (IAM role, token). "config file .teller.yml not found" means you are in the wrong directory or need TELLER_FILE. A missing key error means a mapping in .teller.yml points at a path that does not exist.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →