README
¶
GoDotEnvVault
Extends the proven & trusted foundation of
godotenv, with .env.vault file
support.
🌱 Install
go get github.com/dotenv-org/godotenvvault
🏗️ Usage
Add your application configuration to your .env file in the root of your project:
# .env
S3_BUCKET=YOURS3BUCKET
SECRET_KEY=YOURSECRETKEYGOESHERE
As early as possible in your application, import and configure godotenvvault:
package main
import (
"log"
"os"
"github.com/dotenv-org/godotenvvault"
)
func main() {
err := godotenvvault.Load()
if err != nil {
log.Fatal("Error loading .env file")
}
s3Bucket := os.Getenv("S3_BUCKET")
secretKey := os.Getenv("SECRET_KEY")
// now do something with s3 or whatever
}
That's it! os.Getenv has the keys and values you defined in your .env file. Continue using it this way in development. It works just like godotenv.
If you don't want godotenvvault to modify your program's environment
directly, you can just load and decrypt the .env.vault file and get
the result as a map by doing:
var myEnv map[string]string
myEnv, err := godotenvvault.Read()
s3Bucket := myEnv["S3_BUCKET"]
🚀 Deploying
Encrypt your environment settings by doing:
npx dotenv-vault local build
This will create an encrypted .env.vault file along with a
.env.keys file containing the encryption keys. Set the
DOTENV_KEY environment variable by copying and pasting
the key value from the .env.keys file onto your server
or cloud provider. For example in heroku:
heroku config:set DOTENV_KEY=<key string from .env.keys>
Commit your .env.vault file safely to code and deploy. Your .env.vault fill be decrypted on boot, its environment variables injected, and your app work as expected.
Note that when the DOTENV_KEY environment variable is set,
environment settings will always be loaded from the .env.vault
file in the project root. For development use, you can leave the
DOTENV_KEY environment variable unset and fall back on the
godotenv behaviour of loading from .env or a specified set of
files (see here in the gotodenv
README for the details).
🌴 Manage Multiple Environments
Create a .env.production file in the root of your project and put your production values there.
# .env.production
S3_BUCKET="PRODUCTION_S3BUCKET"
SECRET_KEY="PRODUCTION_SECRETKEYGOESHERE"
Rebuild your .env.vault file.
npx dotenv-vault local build
View your .env.keys file. There is a production DOTENV_KEY that coincides with the additional DOTENV_VAULT_PRODUCTION cipher in your .env.vault file.
Set the production DOTENV_KEY on your server, recommit your .env.vault file to code, and deploy. That's it! Your .env.vault fill be decrypted on boot, its production environment variables injected, and your app work as expected.
Want to additionally backup your .env files, maintain access controls, change history, and more? Check out the vault managed guide to multiple environments.
❓ FAQ
What happens if DOTENV_KEY is not set?
Dotenv Vault gracefully falls back to
godotenv when DOTENV_KEY is not
set. This is the default for development so that you can focus on
editing your .env file and save the build command until you are
ready to deploy those environment variables changes.
Should I commit my .env file?
No. We strongly recommend against committing your .env file to
version control. It should only include environment-specific values
such as database passwords or API keys. Your production database
should have a different password than your development database.
Should I commit my .env.vault file?
Yes. It is safe and recommended to do so. It contains your encrypted envs, and your vault identifier.
Can I share the DOTENV_KEY?
No. It is the key that unlocks your encrypted environment variables. Be very careful who you share this key with. Do not let it leak.
Documentation
¶
Index ¶
- func Exec(filenames []string, cmd string, cmdArgs []string, overload bool) error
- func Load(filenames ...string) error
- func Marshal(envMap map[string]string) (string, error)
- func Overload(filenames ...string) error
- func Parse(r io.Reader) (map[string]string, error)
- func Read(filenames ...string) (map[string]string, error)
- func Unmarshal(str string) (envMap map[string]string, err error)
- func UnmarshalBytes(src []byte) (map[string]string, error)
- func Write(envMap map[string]string, filename string) error
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func Exec ¶
Exec loads environment variabless from the specified filenames (empty map falls back to default .env.vault file) then executes the specified command.
This simply hooks os.Stdin/err/out up to the command and calls Run().
If you want more fine grained control over your command, it's recommended that you use `Load()`, `Overload()` or `Read()` and the `os/exec` package yourself.
func Load ¶
Load will read your encrypted env file(s) and load them into the environment for this process.
Call this function as close as possible to the start of your program (ideally in main).
If you call Load without any args it will default to loading .env.vault in the current path.
You can otherwise tell it which files to load (there can be more than one) like:
godotenvvault.Load("fileone", "filetwo")
It's important to note that it WILL NOT OVERRIDE an environment variable that already exists - consider the .env.vault file to set development variables or sensible defaults.
func Marshal ¶
Marshal outputs the given environment as a dotenv-formatted environment file. Each line is in the format: KEY="VALUE" where VALUE is backslash-escaped.
func Overload ¶
Overload will read your encrypted env file(s) and load them into the environment for this process.
Call this function as close as possible to the start of your program (ideally in main).
If you call Overload without any args it will default to loading .env.vault in the current path.
You can otherwise tell it which files to load (there can be more than one) like:
godotenvvault.Overload("fileone", "filetwo")
It's important to note this WILL OVERRIDE an environment variable that already exists - consider the .env.vault file to forcefully set all environment variables.
func Parse ¶
Parse reads an encrypted .env.vault files from an io.Reader, returning a map of keys and values.
func Read ¶
Read all encrypted environments (with the same file loading semantics as Load) but return values as a map rather than automatically writing values into the environment.
func Unmarshal ¶
Unmarshal reads an environment file from a string, returning a map of keys and values.
func UnmarshalBytes ¶
UnmarshalBytes parses an environment file from a byte slice of chars, returning a map of keys and values.
Types ¶
This section is empty.
Source Files
Directories