Secrets
Backend-agnostic credentials
weave modules read environment variables only. No runtime dependency on 1Password, Vault, Doppler, or any broker — you choose how vars reach the process.
# Mental model <inject-secrets> -- weave <module> <command> $ weave secrets backends # patterns: shell, .env, exec wrapper, CI $ weave secrets check # source label + per-module vars in this shell
Injection patterns
| Pattern | How you run weave | Example one-liner |
|---|---|---|
| Shell export | Vars set in the same session | export OKTA_TOKEN=… && weave okta … |
| dotenv / .env | Source a file into the environment | set -a; source .env; set +a; weave doctor |
| direnv | Auto-load .envrc per directory |
direnv allow . && weave doctor |
| Exec wrapper | Child process; wrapper injects env | op run --env-file=… -- weave … |
| CI mounts | Platform env: before the step |
env: OKTA_TOKEN: ${{ secrets.OKTA_TOKEN }} |
Recipe cards
Pick whichever your org already uses — one of many, not required.
1Password
$ op run --env-file=opvars -- weave okta list users
HashiCorp Vault
$ export OKTA_TOKEN=$(vault kv get -field=token secret/it/okta) $ weave okta list users
Doppler
$ doppler run -- weave okta list users
Infisical
$ infisical run --env=prod -- weave okta list users
AWS Secrets Manager
$ export OKTA_TOKEN=$(aws secretsmanager get-secret-value …) $ weave okta list users
Plain env / direnv
$ export OKTA_DOMAIN=acme.okta.com $ export OKTA_TOKEN=ssws-… $ weave doctor --missing-only
GitHub Actions
# env: OKTA_DOMAIN / OKTA_TOKEN from secrets run: weave okta snapshot groups
Getting started
· repo copy: docs/secrets-backends.md