Injecting Secrets Into Your Shell¶
pm inject exports vault data into the current shell session as environment variables. It is meant for short-lived developer workflows such as local app startup, CI smoke testing, and ad hoc scripting where a process expects secrets through env vars.
Unlike pm get, pm inject does not print the secret values directly for you to copy. It emits shell-specific export commands, and you evaluate those commands in your shell.
How It Works¶
pm inject:
- Unlocks the vault using your normal APM flow
- Resolves one or more vault entries by name
- Converts those entries into environment variables
- Stores a small local inject-session record so the variables can be removed later with
pm inject kill
The command supports bash, zsh, fish, and PowerShell.
Quick Start¶
Bash / Zsh¶
Fish¶
PowerShell¶
After the command runs, the entry becomes an environment variable in the current shell.
For a password entry named github, the default variable name is:
Selecting Entries¶
You can inject explicit entry names:
Entry lookup is by vault item name in the active space. If any requested entry is missing, the command fails rather than partially injecting.
Supported entry sources include:
- Password entries
- TOTP entries
- Tokens
- Secure notes
- API keys
- SSH keys
- Wi-Fi passwords
- Recovery codes
- Certificates
- Cloud credential secret keys
- Docker registry tokens
- SSH config private keys
.apminject Files¶
If you omit --inject, APM searches upward from the current directory for a .apminject file.
This lets you keep project-local injection rules in the repo or workspace root.
Simple List Format¶
Wrapped Format¶
You can also use entries: instead of inject:.
Custom Variable Names¶
If as is omitted, APM derives a variable name automatically by uppercasing the entry name and replacing separators with underscores.
Examples:
github->GITHUBaws-prod->AWS_PRODopenai token->OPENAI_TOKEN
Recommended Workflow¶
For one-off usage:
For project usage with a checked-in .apminject file:
When you are done:
On PowerShell:
pm inject kill removes the injected variables and clears the tracked inject session.
setup-shell¶
APM can install a small shell helper so you do not have to type eval manually every time:
This adds an inject() helper to the detected shell config:
~/.bashrcfor Bash~/.zshrcfor Zsh~/.config/fish/config.fishfor Fish$PROFILEfor PowerShell
After reloading your shell config, you can run:
Session Behavior¶
APM tracks one active inject session at a time. If a session is already active, pm inject will stop and ask you to run pm inject kill first.
The session record stores:
- A generated session ID
- The injected variable names
- Injection time
- Parent shell PID
By default, this record lives under your user config directory:
If APM_DATA_DIR is set, APM stores it there instead.
Security Notes¶
- Injected secrets live in your shell environment until you remove them or close the shell.
- Child processes inherit those environment variables.
- Prefer a dedicated shell for sensitive injection workflows.
- Use
pm inject killimmediately after the dependent process exits. - Do not commit
.apminjectfiles that reveal sensitive internal naming unless that is acceptable for the repo.
pm inject is convenient, but environment variables are still a wider exposure surface than keeping secrets only inside the vault.
Troubleshooting¶
No .apminject file found¶
Use --inject explicitly, or create a .apminject file in the current directory or a parent directory.
Unknown shell warning¶
APM falls back to Bash syntax if it cannot detect the shell from environment variables.
PowerShell does not persist variables¶
Use:
Without Invoke-Expression, you will only print the export script instead of applying it.
A session is already active¶
Run:
or on PowerShell:
Related Commands¶
pm unlock— Start the vault session required for secret accesspm get— View or copy a secret interactivelypm inject kill— Wipe injected variables from the active shellpm inject setup-shell— Install theinject()shell helper