Lade (/leɪd/) is a tool allowing you to automatically load secrets from your preferred vault into environment variables or files. It limits the exposure of secrets to the time the command requiring the secrets lives.

Lade is part of the Metatype ecosystem. Consider checking out how this component integrates with the whole ecosystem and browse the documentation to see more examples.

You can download the binary executable from releases page on GitHub, make it executable and add it to your $PATH or use the method below to automate those steps.

# recommended way
curl -fsSL https://raw.githubusercontent.com/zifeo/lade/main/installer.sh | bash

# or alternative ways via cargo
cargo install lade --locked
cargo install --git https://github.com/zifeo/lade --locked

# upgrade
lade upgrade

# install shell hooks (only required once)
lade install

Compatible shells: Fish, Bash, Zsh

Compatible vaults: Infisical, 1Password CLI, Doppler, Vault

Lade will run before and after any command you run in your shell thanks to command hooks installed by lade install. On each run, it will recursively look for lade.yml files in the current directory and its parents. It will then aggregate any secrets matching the command you are running using a regex and load them into environment variables or files for the time of the run.

cd examples/terraform
terraform apply
# example = "hello world"

See lade.yml or the examples folders for other uses cases.

In case you prefer to decide when to load secrets, you can manually decide when to inject them using the inject command. Note that when running scripts or a non-interactive shell session, there is no guarantee that the shell hooks will be triggered. In that case, the inject command is the only way to load secrets.

cd examples/terraform
lade inject terraform apply

By default, Lade will load secrets into environment variables. You can write secrets to a file instead by setting file inside the . configuration block. The content format is determined by the file extension. Currently only YAML and JSON are supported.

command regex:
  .:
    file: secrets.yml
  SECRET: op://...

When different team members need different secret values for the same variable, specify each user as a key. Lade resolves the current user automatically; use "." as a catch-all default for any user not explicitly listed (including when no user is set).

command regex:
  SAME_SECRET_FOR_EVERYONE: hello_world
  SECRET_FOR_THE_USER:
    alex: alex_secret
    zifeo: zifeo_secret
    .: default_secret # used when no matching user is found
  SECRET_FOR_ZIFEO_ONLY:
    zifeo: zifeo_secret
    .: null # explicitly no value for other users

Use the user subcommand to control which user Lade resolves:

lade user              # show currently set user
lade user tonystark    # set user to tonystark
lade user --reset      # reset, falling back to the OS user

Most of the vault loaders use their native CLI to operate. This means you must have them installed locally and your login/credentials must be valid. Lade may evolve by integrating directly with the corresponding API, but this is left as future work.

command regex:
  EXPORTED_ENV_VAR: infisical://DOMAIN/PROJECT_ID/ENV_NAME/SECRET_NAME

Frequent domain(s): app.infisical.com.

Note: the /api is automatically added to the DOMAIN. This source currently only support a single domain (you cannot be logged into multiple ones).

command regex:
  EXPORTED_ENV_VAR: op://DOMAIN/VAULT_NAME/SECRET_NAME/FIELD_NAME

Frequent domain(s): my.1password.eu, my.1password.com or my.1password.ca.

In CI/CD OP_SERVICE_ACCOUNT_TOKEN is typically injected directly by the platform. For cases where the token itself is stored in another vault, add 1password_service_account to the . config block. Lade resolves that URI first — using any loader — and injects the result as OP_SERVICE_ACCOUNT_TOKEN before resolving the remaining op:// secrets. This enables recursive cross-vault lookups: the token lives in Vault or Infisical, and the actual secrets live in 1Password.

Per-user mapping lets each developer or environment use a different source for the token, or skip it entirely with null to fall back on their local op session.

command regex:
  .:
    # simple: token stored in 1Password itself (requires an active op session)
    1password_service_account: op://DOMAIN/VAULT/ITEM/FIELD
    # or per-user: CI pulls token from Vault, others use their local op session
    # 1password_service_account:
    #   ci: vault://DOMAIN/MOUNT/KEY/FIELD
  EXPORTED_ENV_VAR: op://...

command regex:
  EXPORTED_ENV_VAR: doppler://DOMAIN/PROJECT_NAME/ENV_NAME/SECRET_NAME

Frequent domain(s): api.doppler.com.

command regex:
  EXPORTED_ENV_VAR: vault://DOMAIN/MOUNT/KEY/FIELD

command regex:
  EXPORTED_ENV_VAR: passbolt://DOMAIN/RESOURCE_ID/FIELD

Supports INI, JSON, YAML and TOML files.

command regex:
  EXPORTED_ENV_VAR: file://PATH?query=.fields[0].field

PATH can be relative to the lade directory, start with ~/$HOME or absolute (not recommended when sharing the project with others as they likely have different paths).

command regex:
  EXPORTED_ENV_VAR: "value"

Escaping a value with the ! prefix enforces the use of the raw loader and double !! escapes itself.

eval "$(lade off)"
eval "$(cargo run -- on)"
echo a $A1 $A2 $B1 $B2 $B3 $C1 $C2 $C3
cargo run -- -vvv set echo a
cargo run -- inject echo a
eval "$(cargo run -- off)"
eval "$(lade on)"