// the find
tellerops/teller
Cloud native secrets management for developers - never leave your command line for secrets.
Teller is a CLI tool that pulls secrets from multiple backends (Vault, AWS Secrets Manager, SSM, GCloud, dotenv, etcd) and injects them into your shell or subprocess environment. The pitch is that you stop copying secrets into .env files or exporting them in your shell history — instead you configure once in .teller.yml and run processes through teller. It's a rewrite in Rust of an earlier Go version.
The provider abstraction is well-structured — each backend lives in its own file under teller-providers/src/providers/, and the test harness uses snapshot testing (insta crate) with Docker-based integration tests against real services, not mocks. The redact pipeline feature is genuinely useful for CI log scrubbing and works as a stdin pipe. The trycmd-based CLI tests in teller-cli/tests/cmd/ give you readable golden-file tests that double as documentation. The YAML config supports env-var templating at load time, so the config file itself can stay committed without exposing environment names.
The README has a TODO stub in the YAML export section ('XXX TODO: rewrite how the command export works'), which signals the Go-to-Rust rewrite is not fully complete. Provider coverage is thin — no Azure Key Vault, no 1Password, no Doppler, which is a real gap for teams not on AWS/GCP/HashiCorp. The .teller.yml format conflates provider config with secret mapping in a way that makes rotating credentials or adding a new environment require touching the committed config. Testing requires Docker on every dev machine, which the README calls out for Windows but doesn't otherwise mitigate.