provider: once in ironrun.yml, then reference secrets by path in each command’s env: block. When the agent calls run_sealed, ironrun resolves each reference, injects the values into the child process environment, runs the command, and redacts all matching values from the output before the agent sees it. The agent never touches the resolution step; it only sees the cleaned result.
Provider reference table
For
doppler, infisical, and env providers you can also use just the name (NAME or DATABASE_URL) without the scheme prefix.
Recommended for local dev: envfile
Theenv provider reads from your shell environment — which is exactly what an agent can dump with printenv. The envfile provider avoids this entirely: it keeps secrets in a file outside your repo and reads them only at the moment a sealed command runs, so they are never in the agent’s environment at all.
1
Create a secure secrets directory
700 permission means only your user can read or enter this directory.2
Write your secrets file
chmod 600 means only your user can read this file. ironrun refuses to read files with group or world permissions.3
Point your policy at the file
ironrun run test still has every secret, but the agent’s shell has none of them. printenv and cat .env come up empty in the agent’s session.
Per-provider setup
1Password
ironrun uses theop CLI to resolve op:// references. You need the 1Password CLI installed and authenticated.
Doppler
ironrun uses thedoppler CLI to resolve doppler:// references.
Infisical
ironrun uses theinfisical CLI to resolve infisical:// references.
HashiCorp Vault
ironrun readsVAULT_ADDR and VAULT_TOKEN from the environment for Vault KV v2 references. No additional CLI is needed.
vault://<kv-path>#<field-name>.
env (shell environment)
Theenv provider reads named variables from the shell environment that ironrun itself runs in.
passthrough
Usepassthrough for non-secret values you want to inject as environment variables. The value in the env: block is used literally.
provider: to your secret manager and use literal values for non-sensitive entries.
Choosing a provider
Local dev
envfile — secrets in a local file, outside the repo, outside the agent’s shell environment. Fast resolution (~2ms), no external service required.
Team secrets
1Password / Doppler / Infisical — secrets stored in a managed service, shared across team members and CI. Requires the provider’s CLI and authentication.
Infrastructure
HashiCorp Vault — secrets from a self-hosted or HCP Vault cluster. Reads
VAULT_ADDR and VAULT_TOKEN from the environment; no extra CLI needed.Non-secrets
passthrough — inject literal values (feature flags, non-sensitive config) without a secret provider. Values appear in the policy file in plaintext.