env-vault provides a convenient way to launch a program with environment variables populated from an encrypted file. Inspired by ansible-vault and envconsul.
Download and install latest version using go install:
go install github.com/romantomjak/env-vault@latestor grab a binary from releases section!
env-vault allows to do pretty cool stuff like injecting secrets into docker-compose files, but in general use it like so:
env-vault <vault> <program>
The <program> argument is the executable that will be launched with environment variables from the encrypted file pointed to by <vault> argument.
env-vault takes advantage of a POSIX standard that uses -- to signify the end of command line options. Meaning that everything after that can get passed on to a sub-command. Use this one one weird trick to pass arguments to programs:
env-vault <vault> <program> -- <program-arg1> <program-arg2> <...>
This section describes how to use env-vault to safely store secrets and then pass them on to docker-compose.
Please note the POSTGRES_PASSWORD field that is set only as a key. This tells docker-compose to resolve the value on the machine on which the compose is running on.
services:
db:
image: postgres:13-alpine
environment:
- POSTGRES_USER=myproject
- POSTGRES_PASSWORDThis is an encrypted file created with env-vault. Vaults are created with the create sub-command and can be viewed using the view sub-command. Let's create a vault named prod.env to hold our production secrets:
env-vault create prod.envRunning the command above will prompt for a new password and then open your favorite $EDITOR to input the environment variables. Let's add the POSTGRES_PASSWORD secret now:
POSTGRES_PASSWORD=passwordformyprojectSave the file and close your editor. env-vault will encrypt the plain text using AES256-GCM symmetrical encryption.
env-vault takes advantage of a POSIX standard that uses -- to signify the end of command line options. Meaning that everything after that can get passed on to a sub-command. Let's see how we can use that to decrypt secrets for docker-compose:
env-vault prod.env docker-compose -- up -dIt looks somewhat mad, but essentially env-vault will decrypt prod.env and expose found environment variables to
docker-compose. The command would otherwise look like so:
docker-compose up -d
Now lets inspect the container to see that the POSTGRES_PASSWORD environment variable was successfully injected:
$ docker-compose exec db env | grep POSTGRES_PASSWORD
POSTGRES_PASSWORD=passwordformyprojectWooo!!! 🚀
You can further ease the workflow by setting the ENV_VAULT_PASSWORD environment variable. env-vault will use it to decrypt vaults automatically and you won't get prompted for a password any time you interact with env-vault.
export ENV_VAULT_PASSWORD=somepasswordThis works exceptionally well when docker-compose is used with Makefiles:
up:
env-vault prod.env docker-compose -- up -dso now you can run:
make upand env-vault will take it from there to make it work automagically! ✨
You can contribute in many ways and not just by changing the code! If you have any ideas, just open an issue and tell me what you think.
Contributing code-wise - please fork the repository and submit a pull request.
MIT