This guide describes the usage, configuration flags, and safety overrides for the Secrets Manager command-line scripts.
Secrets Manager registers three executable scripts in pyproject.toml:
suenv(Upload Env): Encrypts and uploads environment files.sfenv(Fetch Env): Downloads and decrypts environment files.sdenv(Delete Env): Verifies password and deletes remote environment files.
Encrypts a local environment file and uploads it to S3 under the SHA-1 hash of the repository URL.
suenv [options]| Option | Long Flag | Default | Description |
|---|---|---|---|
-f <path> |
--file <path> |
.env |
Path to the local file to encrypt. |
-r <url> |
--repo <url> |
(Auto-detected) | Override Git remote URL (useful outside git repositories). |
# Encrypt and upload the default .env from your git folder
suenv
# Encrypt and upload a staging env configuration
suenv -f .env.staging
# Upload a file using a custom repository identifier
suenv -f config.env -r "my-org/my-project"Downloads and decrypts environment files from S3, writing them to a local destination.
sfenv [options]| Option | Long Flag | Default | Description |
|---|---|---|---|
-o <path> |
--output <path> |
.env |
Destination path to save decrypted secrets. |
-r <url> |
--repo <url> |
(Auto-detected) | Override Git remote URL to retrieve secrets for another project. |
-f |
--force |
False |
Overwrite the destination file without prompting. |
By default, if the output file already exists, sfenv will ask for confirmation before writing to prevent accidental loss of local changes:
⚠️ Warning: File already exists at: /path/to/.env
Are you sure you want to overwrite it? [y/N]:
Pass -f or --force to bypass this prompt (useful for automated scripts).
# Decrypt and overwrite the local .env file (prompts if it exists)
sfenv
# Force download and overwrite without confirmation
sfenv -f
# Download secrets for a specific project into a custom output path
sfenv -r "assignment-sets/general-medical-rag" -o .env.prodVerifies the master password and deletes the encrypted secrets from S3.
sdenv [options]| Option | Long Flag | Default | Description |
|---|---|---|---|
-r <url> |
--repo <url> |
(Auto-detected) | Override Git remote URL to delete another project's secrets. |
-y |
--yes |
False |
Skip deletion safety confirmation prompt. |
By default, before prompting for the password, sdenv will ask for confirmation:
⚠️ Are you sure you want to permanently delete secrets for <repo_url>? [y/N]:
Pass -y or --yes to skip this warning.
# Delete default repo secrets (prompts for confirmation, then asks for master password)
sdenv
# Delete secrets for a specific project skipping the confirmation warning
sdenv -r "my-org/old-project" -y