teller run: Inject Multi-Provider Secrets
teller run reads the providers listed in .teller.yml, gathers their secrets into the environment, and executes the command after --.
Teller is a provider-agnostic secrets tool: one .teller.yml can pull from AWS SSM, GCP, Vault, and more. teller run injects the merged set into a process for CI use.
What it does
teller run reads the provider definitions in .teller.yml (or the file named by TELLER_FILE), fetches each mapped secret, sets them as environment variables, and runs the given command with that environment.
Common usage
teller run -- ./deploy.sh
# reset the child env so only teller-provided vars are present
teller run --reset -- node server.js
TELLER_FILE=.teller.ci.yml teller run -- make testOptions
| Flag | What it does |
|---|---|
| -- <command> | Command to run with secrets injected |
| --reset | Clear the inherited environment before injecting |
| -c, --config <file> | Path to the teller config (default .teller.yml) |
| TELLER_FILE | Env var naming an alternate config file |
In CI
Keep .teller.yml in the repo (it holds paths, not secrets) and let each provider authenticate from the runner environment, for example AWS creds via OIDC. Use a CI-specific config with TELLER_FILE when the providers differ from local development.
Common errors in CI
A provider error like "could not fetch ... AccessDenied" means the runner lacks credentials for that backend; wire up the provider auth (IAM role, token). "config file .teller.yml not found" means you are in the wrong directory or need TELLER_FILE. A missing key error means a mapping in .teller.yml points at a path that does not exist.