top | item 22018669

Ask HN: How do you manage env variables and secrets?

4 points| kulikalov | 6 years ago

Man, I'm tired of this topic. I have gitlab CI, local environments, keychain, keepass, gcp, aws and a whole bunch of other places where some of my env variables stored. Furthermore, Expo apps, for example, can't pull .env files, so I have to write bash scripts to create js files. This hurts my brain.

I want to have a cozy place where I store all my variables and secrets safely per project per environment. I want to share it with my team, CI servers etc. I want to just specify a single key: the environemnt title. And all the variables should be pulled from somewhere. Is there such tool anywhere on the internet???

4 comments

[+] bchelli|6 years ago|reply

Regarding Expo specifically: >>> I have to write bash scripts to create js files. This hurts my brain. There is an issue on Expo's Github about env management https://github.com/expo/expo/issues/83

Now on a more general use case, I guess there are two types of applications: - Client-side (like Expo): I would not store any "secret" for security purposes, just configuration. You seem to use JS for your client-side so use dotenv packages (https://www.npmjs.com/package/dotenv, https://www.npmjs.com/package/dotenv-webpack, etc...)

- Server-side: Depending on your environment, CI, hosting you might have a different solution, sadly not any one-fits-all solution to my knowledge. Heroku provides a pretty straight forward solution, on my production environment I use a configuration management, Chef's Data Bag but you could as well use a service discovery like Consul, Zookeeper, Etcd, etc...

I hope this is a bit helpful.

[+] sigmaprimus|6 years ago|reply

>>> "I have to write bash scripts to create js files. This hurts my brain." Not sure what you can do about this part, maybe asprin?

But if your ok with storing the keys to your accounts with a third party and the risks that poses, maybe you could use something like git-secret?

https://git-secret.io

[+] gingerlime|6 years ago|reply

plugging envwarden[0] - a tiny open source wrapper around Bitwarden[1] (also open-source). Allows you to export secrets, write them to a .env file etc. And you manage your secrets in the same place as your passwords.

[0] https://github.com/envwarden/envwarden

[1] https://bitwarden.com/

[+] danenania|6 years ago|reply

We built EnvKey to solve this exact problem. Check it out - https://www.envkey.com