Secrets Management for VS Code
Next to using SecretHub in the cloud for your production workloads, you can also use it during development on your local workstation.
If you do so, you and your team can keep the state of development secrets in sync, and avoid having local copies of these secrets. It can also help in keeping your dev environment closer to your prod environment.
This guide will show you how to inject secrets into your applications or tests, while you can still use the IDE’s app/test launch GUI elements you’re used to.
Before you begin
Before you start using SecretHub with VS Code, make sure you have completed the following steps:
- Set up SecretHub on your workstation.
Runners
The strategy is as follows: create a runner script for your language or framework that wraps the original command in secrethub run
, and configure your settings.json
to use this wrapped runner instead.
These runners are just simple shell scripts.
You could create a directory for them, e.g. ~/.secrethub/runners
, to keep things organized.
To change the behavior of secrethub run
on a per application basis, you can set environment variables in your settings.json
.
A setting you’ll always want to set is SECRETHUB_RUN_ENV_FILE
to ${workspaceFolder}/secrethub.env
, which VS Code will substitute to your project’s secrethub.env
file.
Every SecretHub flag can be configured through environment variables as well. To see what’s available, run:
secrethub printenv -v
Golang
For the Golang runner, you’ll probably want to wrap go run
and go test
.
To do so, create the following script, e.g. at ~/.secrethub/runners/go
:
#!/bin/bash
if [ $# -ge 1 ] && ([ $1 = 'run' ] || [ $1 = 'test' ]); then
secrethub run -- go $@
else
go $@
fi
To also be able to use the VS Code Debugger, you’ll need to create a runner for Delve as well, e.g. at ~/.secrethub/runners/dlv
:
#!/bin/bash
if [ $# -ge 1 ] && [ $1 = 'debug' ]; then
secrethub run -- dlv $@
else
dlv $@
fi
Then, in your settings.json
, update go.alternateTools
to point to the new runners:
"go.alternateTools": {
"go": "~/.secrethub/runners/go",
"dlv": "~/.secrethub/runners/dlv"
}
Finally, tell the runner to use your project’s secrethub.env
.
For running tests, edit go.testEnvVars
in your settings.json
:
"go.testEnvVars": {
"SECRETHUB_RUN_ENV_FILE": "${workspaceFolder}/secrethub.env"
}
For launch configurations, edit env
in your launch.json
:
"env": {
"SECRETHUB_RUN_ENV_FILE": "${workspaceFolder}/secrethub.env"
}