Skip to main content
Set provider: once in ironrun.yml, then reference secrets by path in each command’s env: block. When the agent calls run_sealed, ironrun resolves each reference, injects the values into the child process environment, runs the command, and redacts all matching values from the output before the agent sees it. The agent never touches the resolution step; it only sees the cleaned result.

Provider reference table

For doppler, infisical, and env providers you can also use just the name (NAME or DATABASE_URL) without the scheme prefix. The env provider reads from your shell environment — which is exactly what an agent can dump with printenv. The envfile provider avoids this entirely: it keeps secrets in a file outside your repo and reads them only at the moment a sealed command runs, so they are never in the agent’s environment at all.
1

Create a secure secrets directory

The 700 permission means only your user can read or enter this directory.
2

Write your secrets file

chmod 600 means only your user can read this file. ironrun refuses to read files with group or world permissions.
3

Point your policy at the file

Now ironrun run test still has every secret, but the agent’s shell has none of them. printenv and cat .env come up empty in the agent’s session.

Per-provider setup

1Password

ironrun uses the op CLI to resolve op:// references. You need the 1Password CLI installed and authenticated.
Provider overhead is ~100ms per secret resolution due to the CLI call and 1Password authentication round-trip.

Doppler

ironrun uses the doppler CLI to resolve doppler:// references.

Infisical

ironrun uses the infisical CLI to resolve infisical:// references.

HashiCorp Vault

ironrun reads VAULT_ADDR and VAULT_TOKEN from the environment for Vault KV v2 references. No additional CLI is needed.
The reference format is vault://<kv-path>#<field-name>.

env (shell environment)

The env provider reads named variables from the shell environment that ironrun itself runs in.
The env provider reads from the shell environment. Agents can dump that environment with printenv, env, or echo $DATABASE_URL. This defeats the core protection ironrun provides. Use envfile for local development instead.

passthrough

Use passthrough for non-secret values you want to inject as environment variables. The value in the env: block is used literally.
This is also useful for mixing non-secret config values with a different provider: set provider: to your secret manager and use literal values for non-sensitive entries.

Choosing a provider

Use envfile for local development with AI agents — secrets stay in a file that agents cannot access, and setup requires no external service. Use 1Password, Doppler, or Infisical for team-shared secrets and CI environments where multiple people or machines need the same credentials.

Local dev

envfile — secrets in a local file, outside the repo, outside the agent’s shell environment. Fast resolution (~2ms), no external service required.

Team secrets

1Password / Doppler / Infisical — secrets stored in a managed service, shared across team members and CI. Requires the provider’s CLI and authentication.

Infrastructure

HashiCorp Vault — secrets from a self-hosted or HCP Vault cluster. Reads VAULT_ADDR and VAULT_TOKEN from the environment; no extra CLI needed.

Non-secrets

passthrough — inject literal values (feature flags, non-sensitive config) without a secret provider. Values appear in the policy file in plaintext.