Inject secrets into config files

Secrets are often a small part of a bigger configuration file that is consumed on startup of an application. To avoid having your secrets spread throughout all of your config files, you can turn them into templates instead and let SecretHub inject the secrets into it on the fly:

$ cat example.config.tpl
db_host: localhost
db_user: {{ your-username/start/db_user:latest }}
db_password: {{ your-username/start/db_password:latest }}

Secrets are defined by placing their path between the {{ and }} delimiters. The convention is to add a .tpl suffix to the template, e.g. example.config.tpl.

Before you can inject the secrets into the template, make sure you add the db_user and db_password secrets to your repo:

echo "example_db_user" | secrethub write your-username/start/db_user
echo "example_password123" | secrethub write your-username/start/db_password

Now you can use the inject command to inject secrets on the fly and it will print out the injected template on stdout:

cat example.config.tpl | secrethub inject

There you go! You now have a config with the secrets injected that you can use to run your app:

db_host: localhost
db_user: example_db_user
db_password: example_password123

As you can see, your config template is free of secrets. It can safely be checked into source control an shared with team members.