Exec

Run a subprocess with vault credentials injected as environment variables. The credential exists only in the child process memory — never written to disk, never passed as a CLI argument.

Function

`execWithCredentials(options)`

options.command

string[]

required

Command and arguments to execute.

options.passports

ExecPassportSpec[]

required

Passports to inject, each with passportRef (ID or name) and optional envVarOverride.

options.vault

Vault

required

Unlocked vault instance.

options.actor

string

required

Actor name for audit logging.

options.inheritEnv

boolean

Inherit parent environment. Default: true.

options.extraEnv

Record<string, string>

Additional env vars to set.

options.cwd

string

Working directory for child process.

options.dryRun

boolean

Print what would be injected without executing.

Returns: Promise<ExecResult> — { exitCode, signal?, injectedVars, duration, auditEntryIds }

Security Properties

Credentials exist only in the child process environment
IDW_PASSPHRASE and IDW_SESSION_TOKEN are stripped from the child environment
Policy engine is evaluated before any credential is injected
All access is audit-logged with command name, PID, and duration
Signals (SIGTERM, SIGINT, SIGHUP) are propagated to the child

See the Credential Injection guide for CLI usage and examples.

SDK Reference

​Exec

​Function

​execWithCredentials(options)

​Security Properties

Exec

Function

`execWithCredentials(options)`

Security Properties