PickYourTechPickYourTech home
Teller logo

Teller

Universal CLI secret manager for seamless developer workflows

Secrets Management

Teller lets developers fetch, inject, and manage secrets from any vault directly in the terminal, eliminating hard‑coded credentials and simplifying CI/CD, Docker, and local workflows.

Teller banner

Overview

Overview

Teller is a command‑line tool that centralises secret access for developers. By defining providers such as HashiCorp Vault, AWS Secrets Manager, Google Secret Manager, or simple dotenv files in a .teller.yml configuration, you can retrieve and inject secrets without ever leaving the terminal.

Capabilities

Teller can run subprocesses with environment variables populated (teller run), expose variables to the current shell (teller sh), generate Docker‑compatible env files, scan codebases for hard‑coded secrets, redact secrets from logs and process output, populate custom templates, and copy or sync data between providers. It integrates with CI pipelines via teller scan --error-if-found and can be used as a shift‑left security gate.

Deployment

Install Teller by downloading a binary from the releases page or building from source with Cargo. After running teller new to create a starter configuration, edit .teller.yml to map provider paths and keys. The tool runs on any system that supports the binary, making it suitable for local development, CI runners, and containerised environments.

Highlights

Supports multiple secret backends (Vault, AWS, GCP, dotenv, etc.)
Runs processes with on‑the‑fly secret injection
Built‑in secret scanning and redaction for CI/CD
Template rendering and provider‑to‑provider sync

Pros

  • Eliminates hard‑coded credentials in code and shell scripts
  • Works with existing secret stores via a unified CLI
  • Lightweight, no server component required
  • Can be integrated into CI pipelines for automated checks

Considerations

  • Requires manual configuration of `.teller.yml`
  • CLI‑only interface may not suit users preferring GUIs
  • Learning curve for mapping providers and keys
  • Binary must be available on each execution environment

Managed products teams compare with

When teams consider Teller, these hosted platforms usually appear on the same shortlist.

Akeyless logo

Akeyless

Cloud-native SaaS platform for unified secrets management and machine identity security

AWS Secrets Manager logo

AWS Secrets Manager

Managed service for securely storing, retrieving, and rotating application secrets (credentials, API keys, etc.)

Azure Key Vault logo

Azure Key Vault

Cloud service for secure storage and management of cryptographic keys, secrets, and certificates

Looking for a hosted option? These are the services engineering teams benchmark against before choosing open source.

Fit guide

Great for

  • Developers who need to inject secrets into local processes
  • Teams seeking a consistent secret workflow across environments
  • CI/CD pipelines that require secret scanning and enforcement
  • Docker workflows that need temporary env files without persisting secrets

Not ideal when

  • Organizations that require a full‑featured secret‑management UI
  • Large enterprises needing granular policy enforcement beyond fetching
  • Environments where installing additional binaries is prohibited
  • Users who only need a single static `.env` file without dynamic fetching

How teams use it

Run a local application with Vault secrets

The app starts with environment variables populated directly from HashiCorp Vault, avoiding any credential files on disk.

CI pipeline secret sprawl detection

`teller scan --error-if-found` fails the build when hard‑coded secrets are detected, enforcing security best practices.

Docker container environment injection

A one‑liner supplies an env‑file to `docker run`, keeping secrets out of the image and command history.

Real‑time log redaction

Streaming logs through `teller redact` automatically masks secret values before they are stored or displayed.

Tech snapshot

Rust98%
Shell1%
PowerShell1%
JavaScript1%
Raku1%

Tags

rust-langawsvaultsecret-managementsecretsrusthashicorp

Frequently asked questions

How do I install Teller?

Download a pre‑built binary from the releases page or build from source using Cargo (`cargo install --path .`).

How do I configure secret providers?

Run `teller new` to generate a starter `.teller.yml`, then edit the file to define providers, maps, and key mappings.

Can Teller write secrets back to a provider?

Yes, providers that support write operations can be used with `teller write` and multi‑write commands.

Is Teller suitable for CI/CD environments?

Absolutely; use `teller scan` to detect hard‑coded secrets and `teller env` or `teller run` to inject secrets during builds.

What happens if a secret is rotated in the underlying vault?

Teller fetches the current value each time it runs, so rotated secrets are automatically used on the next execution.

Project at a glance

Dormant
Visit siteView repo
Stars
3,160
Watchers
3,160
Forks
196
LicenseApache-2.0
Repo age4 years old
Last commitlast year
Primary languageRust

Last synced 2 hours ago