A command-line tool that fetches secrets from secret management services (such as Google Cloud Secret Manager, AWS Secrets Manager) and executes commands with those secrets as environment variables.
secretenv retrieves secrets stored in dotenv (.env) format from secret management services and runs specified commands with those secrets as environment variables.
This enables secure secret management following the 12 Factor App methodology without changing your existing dotenv-based configuration.
- Secure Secret Management: Retrieve secrets from centralized secret management services instead of storing them in files
- Simple Integration: Works as a wrapper command like
godotenv, easily integrated into existing applications - Multiple Provider Support: Extensible architecture supporting various secret management services
CGO_ENABLED=0 go install github.com/hakadoriya/secretenv/cmd/secretenv@latestRun the following command to install the latest binary to /usr/local/bin.
INSTALL_DIR=/usr/local/bin
VERSION=$(curl -w '%header{location}' -o /dev/null -RSs https://github.com/hakadoriya/secretenv/releases/latest | grep -o "[^/]*$")
curl -LR https://github.com/hakadoriya/secretenv/releases/download/${VERSION}/secretenv_${VERSION}_$(uname -s)_$(uname -m).tar.gz | (cd ${INSTALL_DIR} && sudo tar -xf - secretenv)Alternatively, download the latest binary from the Releases page.
secretenv --provider <provider> --secret <secret-name> -- <command> [args...]Or using environment variables:
export SECRETENV_PROVIDER=<provider>
export SECRETENV_SECRET=<secret-name>
secretenv -- <command> [args...]| Option | Environment Variable | Description | Required |
|---|---|---|---|
--provider |
SECRETENV_PROVIDER |
Secret management service provider (e.g., aws) |
Yes |
--secret |
SECRETENV_SECRET |
Secret name containing the .env file | Yes |
--secret-version |
SECRETENV_SECRET_VERSION |
Secret version to retrieve (default: provider-specific latest version) | No |
# Using command-line options
secretenv --provider aws --secret my-app-secrets -- ./myapp
# Using environment variables
export SECRETENV_PROVIDER=aws
export SECRETENV_SECRET=my-app-secrets
secretenv -- ./myapp arg1 arg2
# Specifying a version
secretenv --provider aws --secret my-app-secrets --secret-version AWSCURRENT -- ./myappFROM alpine:latest
# Install secretenv
COPY secretenv /usr/local/bin/secretenv
# Set environment variables
ENV SECRETENV_PROVIDER=aws
ENV SECRETENV_SECRET=my-app-secrets
# Run application with secretenv
ENTRYPOINT ["secretenv", "--"]
CMD ["./myapp"]Prerequisites:
- AWS credentials configured (via environment variables, IAM role, or AWS credentials file)
- Appropriate IAM permissions to access Secrets Manager
Default Version:
- If
--secret-versionis not specified,AWSCURRENTis used
Example:
aws login
secretenv --provider aws --secret my-app-secrets -- ./myappPrerequisites:
- Google Cloud SDK installed and authenticated or using service account credentials
- Appropriate IAM permissions to access Secret Manager
Default Version:
- If
--secret-versionis not specified,latestis used
Example:
gcloud auth application-default login
secretenv --provider gcloud --secret my-app-secrets -- ./myappPrerequisites:
- 1Password Service Account Token
- Environment variable
OP_SERVICE_ACCOUNT_TOKENis set
Default Version:
- 1Password does not have a version concept, so the
--secret-versionoption is ignored.
Example:
export OP_SERVICE_ACCOUNT_TOKEN=****
secretenv --provider 1password --secret "op://vault/item/field" -- ./myappPrerequisites:
- Shell command to execute
Default Version:
- Shell does not have a version concept, so the
--secret-versionoption is ignored.
Example:
secretenv --provider shell --secret "op read op://vault/item/field" -- ./myappThe secret value should be stored in .env format.
# Database Configuration
DB_HOST=localhost
DB_PORT=5432
DB_NAME=myapp
DB_USER=admin
DB_PASSWORD="p@ssw0rd"
# API Keys
API_KEY=abc123xyz
SECRET_TOKEN='secret-token-value'
# Feature Flags
FEATURE_X_ENABLED=trueThis project is licensed under the Apache 2.0 License - see the LICENSE file for details.