VS Code logo

Secrets Management for VS Code

Next to using SecretHub in the cloud for your production workloads, you can also use it during development on your local workstation.

If you do so, you and your team can keep the state of development secrets in sync, and avoid having local copies of these secrets. It can also help in keeping your dev environment closer to your prod environment.

This guide will show you how to inject secrets into your applications or tests, while you can still use the IDE’s app/test launch GUI elements you’re used to.

Before you begin

Before you start using SecretHub with VS Code, make sure you have completed the following steps:

  1. Set up SecretHub on your workstation.


The strategy is as follows: create a runner script for your language or framework that wraps the original command in secrethub run, and configure your settings.json to use this wrapped runner instead.

These runners are just simple shell scripts. You could create a directory for them, e.g. ~/.secrethub/runners, to keep things organized.

To change the behavior of secrethub run on a per application basis, you can set environment variables in your settings.json. A setting you’ll always want to set is SECRETHUB_RUN_ENV_FILE to ${workspaceFolder}/secrethub.env, which VS Code will substitute to your project’s secrethub.env file.

Every SecretHub flag can be configured through environment variables as well. To see what’s available, run:

secrethub printenv -v


For the Golang runner, you’ll probably want to wrap go run and go test. To do so, create the following script, e.g. at ~/.secrethub/runners/go:

if [ $# -ge 1 ] && ([ $1 = 'run' ] || [ $1 = 'test' ]); then
    secrethub run -- go $@
    go $@

To also be able to use the VS Code Debugger, you’ll need to create a runner for Delve as well, e.g. at ~/.secrethub/runners/dlv:

if [ $# -ge 1 ] && [ $1 = 'debug' ]; then
    secrethub run -- dlv $@
    dlv $@

Then, in your settings.json, update go.alternateTools to point to the new runners:

"go.alternateTools": {
    "go": "~/.secrethub/runners/go",
    "dlv": "~/.secrethub/runners/dlv"

Finally, tell the runner to use your project’s secrethub.env. For running tests, edit go.testEnvVars in your settings.json:

"go.testEnvVars": {
    "SECRETHUB_RUN_ENV_FILE": "${workspaceFolder}/secrethub.env"

For launch configurations, edit env in your launch.json:

"env": {
    "SECRETHUB_RUN_ENV_FILE": "${workspaceFolder}/secrethub.env"

More languages and frameworks coming soon…