Skip to main content

CLI Tool

The CloudKeep CLI lets you manage vaults and secrets directly from your terminal. It is ideal for local development, scripting, and CI/CD pipelines where you need secrets injected as environment variables.

Installation

Install the CLI globally with npm, pnpm, or yarn:

# npm
npm install -g @cloudkeep/cli

# pnpm
pnpm add -g @cloudkeep/cli

# yarn
yarn global add @cloudkeep/cli

Verify the installation:

cloudkeep --version
# 1.4.2

Configuration

Logging in

Authenticate the CLI with your CloudKeep account. This stores a session token locally so subsequent commands do not require re-authentication.

cloudkeep login

# Opens your browser for authentication.
# After approving, the CLI stores a token at:
#   ~/.config/cloudkeep/credentials.json

Alternatively, set the CLOUDKEEP_API_TOKEN environment variable for headless environments such as CI runners:

export CLOUDKEEP_API_TOKEN=ck_live_abc123...

Config file

The CLI reads configuration from ~/.config/cloudkeep/config.json. You can set defaults for the active vault and output format:

{
  "defaultVault": "vlt_8xK2mN",
  "outputFormat": "table",
  "apiUrl": "https://app.cloudkeep.io/api/v1"
}

Commands

cloudkeep login

Opens a browser window to authenticate. On success, a session token is saved to the local config directory.

cloudkeep login

cloudkeep list

List all secrets in a vault. Defaults to the vault set in your config file.

# List secrets in the default vault
cloudkeep list

# List secrets in a specific vault
cloudkeep list --vault vlt_9yL3nP

# Output as JSON
cloudkeep list --format json

Example output:

KEY                  TYPE         UPDATED
DATABASE_URL         credential   2 hours ago
STRIPE_SECRET_KEY    api_key      3 days ago
REDIS_URL            credential   1 week ago

cloudkeep get

Retrieve the value of a single secret by its key.

# Print the value to stdout
cloudkeep get DATABASE_URL

# Copy to clipboard (macOS/Linux)
cloudkeep get DATABASE_URL | pbcopy

# Specify vault explicitly
cloudkeep get STRIPE_SECRET_KEY --vault vlt_8xK2mN

cloudkeep set

Create or update a secret. If the key already exists, the value is overwritten and a new version is recorded.

# Set a secret interactively (value is hidden)
cloudkeep set DATABASE_URL

# Set inline
cloudkeep set DATABASE_URL "postgres://user:pass@host:5432/db"

# Set from a file
cloudkeep set TLS_CERT --from-file ./cert.pem

# Set with a specific type
cloudkeep set AWS_KEY "AKIA..." --type api_key

cloudkeep inject

Run a command with secrets injected as environment variables. This is the recommended way to use secrets in local development and CI/CD pipelines.

# Inject all secrets from the default vault and run your app
cloudkeep inject -- node server.js

# Inject from a specific vault
cloudkeep inject --vault vlt_8xK2mN -- npm run start

# Inject only specific keys
cloudkeep inject --keys DATABASE_URL,REDIS_URL -- python app.py

CI/CD Integration

Use the inject command in CI pipelines to avoid storing secrets in your CI provider. Set CLOUDKEEP_API_TOKEN as a pipeline secret, then wrap your build commands:

# GitHub Actions example
jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Install CloudKeep CLI
        run: npm install -g @cloudkeep/cli
      - name: Deploy with secrets
        env:
          CLOUDKEEP_API_TOKEN: ${{ secrets.CLOUDKEEP_API_TOKEN }}
        run: cloudkeep inject --vault vlt_8xK2mN -- ./deploy.sh

The process never writes secrets to disk — they exist only in the environment of the child process and are discarded when it exits.

Next Steps

  • REST API — the CLI uses the REST API under the hood. See the full endpoint reference.
  • Webhooks — get notified when secrets change in your vaults.
  • Import — bulk-import secrets from .env files or other password managers.