#env-var #secret #shell #vault #command #automatic #environment

app lade

Automatically load secrets from your preferred vault as environment variables, and clear them once your shell command is over

26 releases (10 breaking)

new 0.11.0 Apr 11, 2024
0.10.0 Mar 8, 2024
0.9.1 Oct 2, 2023
0.7.0 Jun 13, 2023
0.4.0 Mar 16, 2023

#44 in Authentication

Download history 8/week @ 2024-02-24 78/week @ 2024-03-02 89/week @ 2024-03-09 7/week @ 2024-03-16 19/week @ 2024-03-30 41/week @ 2024-04-06

76 downloads per month

MPL-2.0 license


Rust 1.5K SLoC // 0.0% comments Shell 286 SLoC // 0.3% comments Zsh 26 SLoC // 0.1% comments BASH 20 SLoC



Lade (/leɪd/) is a tool allowing you to automatically load secrets from your preferred vault into environment variables or files. It limits the exposure of secrets to the time the command requiring the secrets lives.


Lade is part of the Metatype ecosystem. Consider checking out how this component integrates with the whole ecosystem and browse the documentation to see more examples.

Getting started

You can download the binary executable from releases page on GitHub, make it executable and add it to your $PATH or use the method below to automate those steps.

curl -fsSL https://raw.githubusercontent.com/zifeo/lade/main/installer.sh | bash

# via cargo
cargo install lade --locked
cargo install --git https://github.com/zifeo/lade --locked

# upgrade
lade upgrade

# install shell hooks (only required once)
lade install

Compatible shells: Fish, Bash, Zsh

Compatible vaults: Infisical, 1Password CLI, Doppler, Vault


Lade will run before and after any command you run in your shell thanks to command hooks installed by lade install. On each run, it will recursively look for lade.yml files in the current directory and its parents. It will then aggregate any secrets matching the command you are running using a regex and load them into environment variables or files for the time of the run.

cd examples/terraform
terraform apply
# example = "hello world"

See lade.yml or the examples folders for other uses cases.

Manual injections

In case you prefer to decide when to load secrets, you can manually decide when to inject them using the inject command. Note that when running scripts or a non-interactive shell session, there is no guarantee that the shell hooks will be triggered. In that case, the inject command is the only way to load secrets.

cd examples/terraform
lade inject terraform apply

Outputting as files

By default, Lade will load secrets into environment variables. You can change this by setting the . to the desired file name. The content will be created based on the extension. Currently, only YAML and JSON are supported.

command regex:
  .: file.yml


Most of the vault loaders use their native CLI to operate. This means you must have them installed locally and your login/credentials must be valid. Lade may evolve by integrating directly with the corresponding API, but this is left as future work.

Infisical loader

command regex:

Frequent domain(s): app.infisical.com.

Note: the /api is automatically added to the DOMAIN. This source currently only support a single domain (you cannot be logged into multiple ones).

1Password loader

command regex:

Frequent domain(s): my.1password.eu, my.1password.com or my.1password.ca.

Doppler loader

command regex:

Frequent domain(s): api.doppler.com.

Vault loader

command regex:

Passbolt loader

command regex:

File loader

Supports INI, JSON, YAML and TOML files.

command regex:
  EXPORTED_ENV_VAR: file://PATH?query=.fields[0].field

PATH can be relative to the lade directory, start with ~/$HOME or absolute (not recommended when sharing the project with others as they likely have different paths).

Raw loader

command regex:

Escaping a value with the ! prefix enforces the use of the raw loader and double !! escapes itself.


eval "$(lade off)"
eval "$(cargo run -- on)"
echo a $A1 $A2 $B1 $B2 $B3 $C1 $C2 $C3
cargo run -- -vvv set echo a
eval "$(cargo run -- off)"
eval "$(lade on)"


~1M SLoC