search

Interpolate Command

Replace Keeper notation in template files with actual secret values from your Keeper vault.

hashtag
interpolate command

Description: Replace Keeper notation in template files with actual secret values from your Keeper vault. The interpolate command reads template files containing Keeper notation references, fetches the secrets from your vault, and replaces the notation with actual values. This enables secure configuration file generation for deployments, CI/CD pipelines, and shell environment setup.

Parameters:

format: ksm interpolate [INPUT_FILE...] [OPTIONS]

Options:

Option
Short
Description

INPUT_FILE

Input template file(s) to process. If omitted, reads from stdin

--output-file PATH

-o

Write output to specified file instead of stdout

--in-place

-w

Edit files in place (modifies original files)

--backup-suffix SUFFIX

-b

Backup suffix when using -w (default: .bak)

--dry-run

-n

Show what would be replaced without making changes

--verbose

-v

Verbose output showing each replacement

--continue

-C

Continue processing on errors

--validate

Ensure all notations were successfully resolved

--allow-unsafe-for-eval

[RISKY] Allow secrets containing shell metacharacters (required for eval/source)

Common flags also apply: --profile-name, --ini-file, --color/--no-color, --cache/--no-cache

hashtag
Keeper Notation Format

The interpolate command supports extended Keeper notation with default values and transformations:

Basic notation:

With default values (shell-style :- syntax):

With transformations (pipe | operator):

Available transformations: base64, base64url, urlencode, urlencodeplus, upper, lower, trim, sha256, md5

hashtag
Security Features

triangle-exclamation

CRITICAL: Shell Injection Protection

By default, the command blocks secrets containing shell metacharacters (newlines, backticks, $, ;, |, &, >, <) to prevent command injection attacks when using eval or source.

Safe usage options:

  1. RECOMMENDED Write to file instead of eval:

  2. RISKY Use --allow-unsafe-for-eval flag only if you fully trust all users with Keeper write access:

Additional security features:

  • Output files created with 0600 permissions (owner read/write only)

  • Atomic file operations prevent partial writes

  • Git safety warnings for files not in .gitignore

  • Path traversal attack prevention

hashtag
Examples

hashtag
Basic File Processing

Template file: config.env.template

Process the template:

Result: config.env (with secure 0600 permissions)

hashtag
Shell Built-ins

Problem: The ksm exec command cannot execute shell built-ins like source:

Solution: Use ksm interpolate instead.

Example 1: Write to file (RECOMMENDED)

Example 2: Direct eval (requires --allow-unsafe-for-eval)

circle-exclamation

Only use --allow-unsafe-for-eval if you fully trust all users with Keeper write access. See Security Features section.

hashtag
Default Values and Transformations

Template with defaults and transforms:

Process:

If secrets don't exist or are inaccessible, default values are used automatically. Transformations are applied to both secrets and default values.

hashtag
Additional Usage Patterns

Process from stdin:

Process multiple files:

In-place editing with backup:

Dry run:

PreviousVersion CommandNextMisc Commands

Last updated

Was this helpful?