Secrets Management
ctx can fetch secrets from password managers and cloud secret services, injecting them as environment variables on context switch.
Supported Providers
| Provider | Type | CLI | Install |
|---|---|---|---|
| Bitwarden | Password Manager | bw |
bitwarden.com/help/cli |
| 1Password | Password Manager | op |
developer.1password.com/docs/cli |
| HashiCorp Vault | Secrets Engine | vault |
developer.hashicorp.com/vault |
| AWS Secrets Manager | Cloud | aws |
Uses aws: config |
| AWS Parameter Store | Cloud | aws |
Uses aws: config |
| GCP Secret Manager | Cloud | gcloud |
Uses gcp: config |
Configuration Overview
Each provider has its own config section for authentication, and a unified secrets: section for what to fetch:
# Provider Authentication
bitwarden:
auto_login: true
onepassword:
auto_login: true
account: "my.1password.com"
vault:
address: https://vault.example.com
auth_method: oidc
auto_login: true
# Cloud providers use existing auth from aws:/gcp: sections
# What secrets to fetch (injected as env vars)
secrets:
bitwarden:
DB_PASSWORD: "prod-database"
onepassword:
API_KEY: "api-credentials"
vault:
SECRET_TOKEN: "databases/prod#password"
aws_secrets_manager:
STRIPE_KEY: "prod/stripe#secret_key"
aws_ssm:
DATABASE_URL: "/prod/myproject/database_url"
gcp_secret_manager:
SERVICE_ACCOUNT: "myproject-sa-key"
How It Works
- On
ctx use, ctx checks if you're authenticated with each configured provider - If
auto_login: trueand not authenticated, runs the login command automatically - Fetches each item and extracts the appropriate field
- Injects values as environment variables
Field Syntax
All providers support the item#field syntax to specify which field to extract:
secrets:
bitwarden:
PASSWORD: "my-login" # Auto-detect field
PASSWORD: "my-login#password" # Explicit field
vault:
DB_PASS: "databases/prod#password"
aws_secrets_manager:
API_KEY: "prod/keys#stripe" # JSON key extraction
Field Priority
When no #field is specified, each provider has a default priority:
| Provider | Field Priority |
|---|---|
| Bitwarden | password → notes |
| 1Password | password → credential → notesPlain |
| Vault | Specified field, defaults to value |
| AWS Secrets Manager | Full string, or JSON key if #key specified |
| AWS SSM | Parameter value (auto-decrypted) |
| GCP Secret Manager | Secret payload data |
Session Storage
ctx stores authentication sessions securely in your system keychain:
| Platform | Storage |
|---|---|
| macOS | Keychain |
| Linux | Secret Service API (gnome-keyring, kwallet) |
| Windows | Windows Credential Manager |
Sessions are cleared on ctx logout <context>.
Multiple Providers
You can use multiple providers in the same context: