Using secretspec within devenv profiles seems to not work

[auumai-mattia]

I am trying this:

{ pkgs, config, ... }:

{
    packages = [
        pkgs.secretspec
    ];

    profiles = {
        backend.module = { config, ... }: {
            env = {
                DATABASE_URL = config.secretspec.secrets.DATABASE_URL;
            };
        };
    };
}

I have tried:

secretspec check --profile backend

And I find all my secrets.

However, if I do:

secretspec run -P backend -- devenv --profile backend shell

I see:

           17|             env = {
           18|                 DATABASE_URL = config.secretspec.secrets.DATABASE_URL;
             |                                ^

       error: attribute 'DATABASE_URL' missing

Not quite sure why.

Anyone has any suggestions?

[domenkozar]

Thanks for reporting this! To better understand what's happening, could you share a bit more about your setup?

1. Your devenv.yaml secretspec configuration - specifically, do you have secretspec.enable: true and what profile/provider is configured there (if any)?
2. Your secretspec.toml structure - which profiles are defined and which secrets are in each?
3. When you say "secretspec check --profile backend" works - does that show DATABASE_URL in the output?

My current hypothesis is that there may be a mismatch between the secretspec profile used by secretspec run -P backend and the secretspec profile configured in devenv.yaml. When devenv has secretspec.enable: true, it loads secrets using its own configured profile (from devenv.yaml), which might not match the -P backend you passed to secretspec run.

Could you confirm whether your devenv.yaml has secretspec.profile: backend set, or if you're relying on secretspec run -P backend to inject the secrets?