Overview
Thefjall secret command manages secrets stored in AWS SSM Parameter Store. Secrets are namespaced by application and optionally by cluster and service for fine-grained access control.
Usage
Subcommands
set
Set a secret value:get
Retrieve a secret value:list / ls
List all secrets in a namespace:delete / rm
Delete a secret:export
Export secrets in dotenv format:exec
Execute a command with secrets as environment variables:import
Import secrets from a.env file:
Error: File path is required.
Options
| Option | Description | Example |
|---|---|---|
-a, --app <name> | Target application (required) | --app myapp |
-c, --cluster <name> | Optional cluster namespace | --cluster prod |
-s, --service <name> | Optional service namespace | --service api |
-l, --lambda <name> | Scope secrets to a Lambda function | --lambda ImageProcessor |
-f, --from-file <path> | Read secret value from a file (for set) | -f ./secret.pem |
--format <type> | Export format: json, dotenv, env (default: dotenv) | --format json |
--all | Include child namespaces when listing | --all |
-f, --force | Skip confirmation for delete | --force |
-v, --verbose | Show detailed output | -v |
--non-interactive | Disable prompts | --non-interactive |
The
-f short flag has different meanings depending on the subcommand: --from-file for set and --force for delete. Use the long form to avoid ambiguity.Namespace Hierarchy
Secrets are organised in a hierarchical namespace:The cluster name
lambda is reserved — it marks Lambda-scoped paths in the
hierarchy. Use --lambda <function> for Lambda secrets; --cluster lambda
is rejected.fjall secrets exec and fjall secrets export: these merge secrets from parent namespaces (app → cluster → service, with more specific values overriding). Deployed workloads do not inherit — an ECS service reads only its exact /<app>/<cluster>/<service>/ path, and a Lambda only /<app>/lambda/<function>/. App-level secrets are never injected into containers.
Non-Interactive Mode
For CI/CD pipelines, use the--non-interactive flag with all required options:
Secret Naming Rules
Secret names must:- Start with a letter or underscore
- Contain only letters, numbers, underscores, hyphens, or periods
DATABASE_URLAPI_KEY_V2database-urlmy.secret_internal_flag
2FA_CODE(starts with a number)my secret(contains a space)
Security
- Secrets are stored encrypted in AWS SSM Parameter Store (SecureString type)
- Access is controlled via IAM policies
- Secrets are displayed in plain text only when you explicitly request them (
get,export) or inject them into a process environment (exec); they are never written to logs - Use namespace hierarchy for least-privilege access
Examples
Set multiple secrets
Local development with secrets
CI/CD pipeline
Service-specific secrets
Troubleshooting
Permission Denied
ssm:GetParameter permission for the parameter’s ARN.
Secret Not Found
fjall secrets list --app myapp to see available secrets.
Invalid Secret Name
Next Steps
Deploy an application
Deploy your application to AWS with its secrets attached.
Connect an AWS account
Connect the AWS account that stores secrets in SSM Parameter Store.
Configure a deployment user
Grant the IAM permissions needed to read and write secrets.
Secrets Manager resource
Add an AWS Secrets Manager resource to your infrastructure.