Show HN: Generate .env files from various secret providers via checked-in config

9 points

a year ago

Hi! I've been frustrated with the secret sharing situation in serverside javascript land for a while; the common thing is to just toss .env files around on Slack to get someone's app working, or involves some kind of convoluted setup to get a blob from a storage and turn it into environment variables via commands I have to copy paste every time.

But everyone uses secret storage providers, e.g. shared password vaults, cloud secrets, etc., so why not leverage those as URIs in a JSON file that can be checked in to source control? I want something simple that would just generate the darn .env file with the secrets, and log me in the process if need be.

Something like..

  {
    "SECRET_ENV_VALUE": "op://application-secrets/test/test-section",
    "SECRET_ENV_VALUE2": "gcsm://projects/1234567890/secrets/SOME_KEY/versions/latest"
  }

Surprisingly I wasn't able to find anything exactly like this (most seem to want to sell me something centralised on their servers instead), so I made it. It's still quite early but I've made providers for:

- 1password (via CLI)

- AWS Secret Manager (via nodejs)

- Azure Key Vault (via nodejs)

- Bitwarden (via CLI)

- Doppler (via CLI)

- Github Secrets (via CLI)

- Google Cloud Secret Manager (via nodejs)

- Hashicorp Vault (via nodejs)

- Infisical (via CLI)

- KeePass (via CLI)

- LastPass (via CLI)

It can handle binary data from the providers that can store some, encoding it as base64 in the .env file. It tries to be nice to JSON as well.

Some (read most) of these need help testing out, so if you're interested feel free to come in to kick the tires and raise issues :)

The providers will try to log you in (or guide you through the process) if you are not, so any help making that even nicer is appreciated!

6 comments