ov run
ov run is the CLI equivalent of vault_run. It fetches secrets for the active app, injects them as env vars, runs a command, and exits. Use it in scripts, CI, deploy pipelines, or anywhere you need secrets without the MCP layer.
ov run [flags] -- <command>Examples
Section titled “Examples”Run database migrations with all secrets for the default app:
ov run -- go run ./cmd/migrateRun with a specific app:
ov run --app my-saas -- npm testInject only specific secrets:
ov run --app my-saas --secrets DATABASE_URL,STRIPE_SECRET_KEY -- go test ./...Run non-interactively in CI or a systemd service (no password prompt):
ov run --machine-key /etc/ov/machine.kek --app my-saas -- ./serverNon-interactive use (machine keys)
Section titled “Non-interactive use (machine keys)”By default, ov run prompts for your master password on every invocation. For automated deployments — CI pipelines, Docker containers, systemd services — use a machine key file instead:
# One-time setup (as a human, interactive)ov auth derive-machine-key --out /etc/ov/machine.kek --app my-saas
# Every subsequent run (no prompt)ov run --machine-key /etc/ov/machine.kek --app my-saas -- ./serverSee the Machine Keys guide for full setup instructions, Docker and systemd examples, key rotation, and security properties.
| Flag | Description |
|---|---|
--app NAME | Target app (overrides config default) |
--secrets NAME1,NAME2 | Explicit list of secrets to inject |
--machine-key PATH | Path to a machine key file — skips password prompt (see Machine Keys) |