Skip to main content


Targets define where a Task will run and using what credentials, after which teams review them.

The Target Object#


The name of the Target.


A description for the Target.


The type of the integration for the Target.


The review configuration for Target: none, default, or teams.

Review ModeDescription
noneThe default mode. Skips reviews and new Tasks are ready to run.
anyoneAnyone with access to the review message in Slack can review the Task. You can control who can review the Task by using a private Slack channel.
teamOnly people from specific teams can review the Tasks. Requires a list of team names in the reviewers option. At least one person from each team has to approve the Task.


A comma-separated list of names with the Teams that must review Tasks on this Target.


The name of the Slack channel to send review messages. Optional when review=none


If logs fields should be redacted.

all: All sensitive fields will be redacted (default if not provided).

none: No fields will be redacted.


If using runops runner, then a third party secret provider is required. AWS secrets manager, Hashicorp vault (databases and KV engines supported).)

awsIf using AWS secrets manager.
env-varIf using environment variables as secrets.
hashicorp/dbIf using hashicorp vault databases engine (dynamic secrets).
hashicorp/kvIf using hashicorp vault KV engine (static secrets).


The name or the path of the secret. For aws, the secret name. For hashicorp vault, the path, including the engine (i.e. '/v1/secret/foo' or '/databases/creds/my-postgres'). For env-var, the name of the variable.

--secret_path "my-secret"


Allow matching custom keys from any secret provider, when set it will add the custom key as the configuration key. The format is CONFIGURATION_KEY=YOUR_CUSTOM_KEY in a JSON format. The integration section contains which keys could be mapped.

--secret_mapping '{"PG_HOST": "PG_HOSTNAME", "PG_USER": "PG_USERNAME"}'

This mapping will use the value of keys PG_HOSTNAME and PG_USERNAME in a secret provider to connect to a postgres instance. In the abscence of a mapping it will use the default values, in this case: PG_PASS and PG_DB are required keys which needs to exist in the secret manager.


Tags are used to bind the runner to run only specific targets. Normally this is related to environments, such as 'dev' or 'prod', but can be any string.

--tags "prod"


Configs are mostly used for test credentials and hashicorp vault databases engines (since this engine does not return the HOST and the PORT of the DB, some extra config is required (JSON format)). For testing purposes, the config field can contain the full JSON configuration of a database (clear text, do not use for production).

--config '{"PG_HOST":"","PG_USER":"user", "PG_PASS":"pass", "PG_PORT":"5432"}'


Groups is a role based access control (RBAC) mechanism that allows admins to restrict runops users to access the targets. Groups is a comma separated string that defines all groups of the target, and only users whose groups match one of the target groups will be able to use it. Replaces the deprecated roles flag.

--groups "dev,support"

token [deprecated]#

The secret token used to setup self-hosted runners

runner_provider [deprecated]#

The entity responsible for executing the tasks.

runopsRunops runner (default). Faster and can run "on premise".
githubLegacy runner using github actions.

roles [deprecated - replaced by groups]#

Comma separated string with all roles for the target. Only users flagged with the same roles will be able to see and use the target.

--roles "dev,support"

secrets [deprecated]#

A list of key-value pairs with passwords and keys required to run tasks. The required secret names are defined on the type of Integration in the Target.

runner [deprecated]#

Where tasks will run.

runops-hosted: runners will access resources reachable from the internet, like AWS or GCP APIs. They require no additional setup.

self-hosted: require additional setup to reach resources running on private networks.