Pass secrets as environment variables

Many applications that follow the popular 12-Factor App guidelines source their secrets from the environment and those secrets need to be managed too.

That’s where the run command comes in. The run command runs a program and passes environment variables to it as defined in an Environment File with the .env extension.

For example, the following file can be used to inject your database credentials into a server application:

$ cat secrethub.env
# Static values
DB_HOST     = localhost
# Secrets
DB_USER     = {{ $username/start/db_user }}
DB_PASSWORD = {{ $username/start/db_password }}

Just like before, everything between {{ and }} is treated as a path to a secret. Also, all variables (starting with a $) are replaced by their values as specified with --var name=value flags.

In this example we use a variable for your username, but they are also really useful to disinguish between different environments. For example, by using. --var env=prd.

To demonstrate the result, we will use this Environment File to run the printenv command. Because we use secrethub.env as a filename, it will automatically detected by the CLI. So we can just run:

$ secrethub run --var username=<your-username> --no-masking -- printenv
[...]
DB_HOST=localhost:5432
DB_USER=example_db_user
DB_PASSWORD=example_password123
[...]

As you can see, the printed output contains the specified environment variables.

By default, all secret values get filtered from output on stdout and stderr. For this tutorial we use --no-masking to inspect the output. In production this would look like DB_PASSWORD=<redacted by SecretHub>.

See the reference docs for the run command for more detailed examples and explanation of the Environment File syntax.