Pass secrets as environment variables
Many applications that follow the popular 12-Factor App guidelines source their secrets from the environment and those secrets need to be managed too.
That’s where the
run command comes in.
run command runs a program and passes environment variables to it defined with
Anything that goes after the double dashes
-- is passed onto the command you want to run.
Run the following command to inject a secret into the
HELLO environment variable and run the
secrethub run --envar HELLO=your-username/start/hello-world -- printenv
As you can see, the printed output contains the injected environment variable
See the reference docs for the
run command for more detailed examples.
A note on security
There are common security concerns surrounding storing secrets as environment variables:
- Controlling and tracking which process has access to which environment variables requires explicit commands and is often overlooked. This can make environment variables available to processes should not have access to them.
- Many processes take the whole environment and print it or include it in error reporting, exposing any secrets stored in environment variables.
That’s why the
runcommand explicitly limits which secrets are accessible to the child process. This also removes the need for setting shell wide secret environment variables.
You can read more on the pitfalls of exposing secrets as environment variables in this article by Michael Reinsch.