ov shell
import { Aside } from ‘@astrojs/starlight/components’;
ov shell starts an interactive shell session with named secrets pre-injected as environment variables. Use it when you need a full terminal with credentials available — running psql, debugging with live credentials, or using tools that don’t work with ov run.
ov shell --secrets DATABASE_URL,STRIPE_SECRET_KEYHow it works
Section titled “How it works”ov shell uses syscall.Exec to replace the current process with the shell, so the terminal gets real file descriptors. Interactive programs (psql, vim, htop, etc.) work correctly — you’re not in a subprocess, you’re in the shell.
The KEK is zeroed before the shell starts. Secret values live in the shell’s environment for the full session lifetime.
ov shell [flags]No arguments required. Secrets are specified via --secrets.
| Flag | Description |
|---|---|
--secrets NAME,NAME2 | Comma-separated list of secret names to inject |
--app NAME | Target app (overrides default) |
--machine-key PATH | Path to machine key file for non-interactive use |
--shell PATH | Shell to launch (default: $SHELL, fallback: /bin/sh) |
--login | Start the shell as a login shell (prefixes argv[0] with -, POSIX login shell convention) |
Examples
Section titled “Examples”Start a shell with a database URL available:
ov shell --secrets DATABASE_URL# → starts $SHELL with DATABASE_URL in envpsql $DATABASE_URLUse a non-default shell:
ov shell --secrets DATABASE_URL --shell /bin/zshTarget a specific app:
ov shell --secrets DATABASE_URL --app payments-serviceSecurity considerations
Section titled “Security considerations”ov shell vs ov run
Section titled “ov shell vs ov run”ov shell | ov run | |
|---|---|---|
| Use case | Interactive terminal sessions | Scripted / automated commands |
| Secret lifetime | Full shell session | Single subprocess only |
| Child process access | All child processes see secrets | Only the target command sees secrets |
env / printenv visible | Yes | Yes (within the subprocess) |
| Suitable for CI/CD | No | Yes |