README
¶
dotsm
Sync AWS Secrets Manager secrets with .env files — pull, push, and diff in a single binary.
Install
Homebrew
brew install mickamy/tap/dotsm
Go
go install github.com/mickamy/dotsm@latest
Binary
Download from Releases.
Usage
Pull
Fetch a secret and write as .env:
# Write to file
dotsm pull -secret myapp-prod/app -output .env
# Print to stdout
dotsm pull -secret myapp-prod/app
Push
Read a .env file and store as a JSON secret:
dotsm push -secret myapp-prod/app -input .env
# Preview without writing
dotsm push -secret myapp-prod/app -input .env -dry-run
Diff
Compare local .env with remote secret:
dotsm diff -secret myapp-prod/app -input .env
Output:
+ NEW_KEY # in local, not in remote
- REMOVED_KEY # in remote, not in local
~ CHANGED_KEY (changed)
Exits with code 1 if differences are found — useful in CI.
Secret values are masked by default. Use -show-values to reveal them.
Common Options
| Flag | Description |
|---|---|
-secret |
Secret ID in Secrets Manager (required) |
-region |
AWS region (overrides default) |
-profile |
AWS CLI profile |
Prerequisites
The push command updates an existing secret. Create the secret beforehand (e.g., via Terraform/OpenTofu or AWS CLI):
aws secretsmanager create-secret --name myapp-prod/app --secret-string '{}'
Limitations
- Multiline values are escaped as
\n/\rin.envoutput. Raw multiline.envsyntax is not supported. - Secrets must be JSON objects with string values (
{"KEY": "value"}).
AWS Authentication
dotsm uses the standard AWS SDK credential chain:
- Environment variables (
AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY) - Shared credentials file (
~/.aws/credentials) - IAM role (EC2, ECS, Lambda)
License
Documentation
¶
There is no documentation for this package.
Source Files
Directories
Click to show internal directories.
Click to hide internal directories.