Secrets Management

Manage API keys, credentials, and sensitive configuration for CCO operations.

Overview

CCO supports multiple secrets backends for secure credential management. Secrets can be stored in environment variables, files, or integrated secret managers.

!

Never commit secrets to version control. Use CCO's secrets management to keep credentials secure.

cco secrets list

List all configured secrets backends and their status.

Parameters

Parameter Type Description
--json optional Output as JSON

Examples

bash 
# List configured secrets
cco secrets list

# JSON output
cco secrets list --json

cco secrets add

Add a new secret to the configured backend.

Parameters

Parameter Type Description
--name required Name identifier for the secret
--value required Secret value
--backend default: env Secrets backend: env, file, or vault
--mask optional Mask value in logs (default: true)

Examples

bash 
# Add an API key
cco secrets add --name OPENAI_API_KEY --value sk-...

# Add to file backend
cco secrets add --name DB_PASSWORD --value secret123 --backend file

# Add without masking
cco secrets add --name DEBUG_TOKEN --value abc123 --mask false

cco secrets remove

Remove a secret from the configured backend.

Parameters

Parameter Type Description
--name required Name identifier for the secret to remove
--force optional Skip confirmation prompt

Examples

bash 
# Remove a secret
cco secrets remove --name OPENAI_API_KEY

# Force remove without prompt
cco secrets remove --name OLD_TOKEN --force

Secret Backends

Environment Variables (default)

Secrets are stored in the process environment. Suitable for local development and containerized deployments.

File Backend

Secrets are encrypted and stored in ~/.codified-orchestrator/secrets/. Requires filesystem encryption for security.

Vault Backend

Integration with HashiCorp Vault for enterprise secret management.

up-down Navigate Enter Select Esc Close