Pass secrets as environment variables

Many applications that follow the popular 12-Factor App guidelines source their secrets from the environment and those secrets need to be managed too.

That’s where the run command comes in. The run command runs a program and passes environment variables to it defined with --envar or --template flags. Anything that goes after the double dashes -- is passed onto the command you want to run.

Run the following command to inject a secret into the HELLO environment variable and run the printenv process:

secrethub run --envar HELLO=your-username/start/hello-world -- printenv

As you can see, the printed output contains the injected environment variable HELLO=Hello World.

See the reference docs for the run command for more detailed examples.

A note on security

There are common security concerns surrounding storing secrets as environment variables:

  • Controlling and tracking which process has access to which environment variables requires explicit commands and is often overlooked. This can make environment variables available to processes should not have access to them.
  • Many processes take the whole environment and print it or include it in error reporting, exposing any secrets stored in environment variables.

That’s why the run command explicitly limits which secrets are accessible to the child process. This also removes the need for setting shell wide secret environment variables.

You can read more on the pitfalls of exposing secrets as environment variables in this article by Michael Reinsch.

️️➡️ Next, let’s move on to monitoring how secrets are used and abused.