Command Line Tools
wheels deploy secrets fetch
Fetch one or more named keys from a named adapter. Prints them as KEY=VALUE lines — the format .kamal/secrets accepts via $(...).
Invoke it through the flat alias wheels deploy fetch-secrets — the nested wheels deploy secrets fetch form is shadowed at the shell by the CLI’s own secrets command (#2697, #2699).
Synopsis
Section titled “Synopsis”wheels deploy fetch-secrets --adapter=<name> [--account=<acct>] [--from=<scope>] <KEY>...| Flag | Description |
|---|---|
--adapter=<name> | Required. One of op, 1password, bw, bitwarden, aws, lpass, lastpass, doppler. Unknown names throw DeploySecretsCli.UnknownAdapter. |
--account=<acct> | Adapter-specific account selector. |
--from=<scope> | Adapter-specific scope — e.g. op://Vault/Item for 1Password, a prefix path for Doppler. |
<KEY>... | One or more keys to fetch. Required; no keys throws DeploySecretsCli.NoKeys. |
Behavior
Section titled “Behavior”Shells out to the adapter’s CLI tool with the given scope. Returns a newline-separated KEY=VALUE block on success. The adapter CLI must be installed locally.
Examples
Section titled “Examples”wheels deploy fetch-secrets --adapter=op --from=op://Production/App DATABASE_URLwheels deploy fetch-secrets --adapter=aws --from=prod/app DB_PASSWORDWrap inside .kamal/secrets for batched resolution:
$(wheels deploy fetch-secrets --adapter=op --from=op://Production/App DATABASE_URL WHEELS_MASTER_KEY)