env-vault provides a convenient way to launch a program with environment variables populated from an encrypted file. Inspired by ansible-vault and envconsul.
Download and install using go get:
go get -u github.com/romantomjak/env-vault
or grab a binary from releases section!
env-vault allows to do pretty cool stuff like injecting secrets into docker-compose files, but in general use it like so:
env-vault <vault> <program>
The <program>
argument is the executable that will be launched with environment variables from the encrypted file pointed to by <vault>
argument.
env-vault takes advantage of a POSIX standard that uses --
to signify the end of command line options. Meaning that everything after that can get passed on to a sub-command. Use this one one weird trick to pass arguments to programs:
env-vault <vault> <program> -- <program-arg1> <program-arg2> <...>
This section describes how to use env-vault to safely store secrets and then pass them on to docker-compose.
Please note the POSTGRES_PASSWORD
field that is set only as a key. This tells docker-compose to resolve the value on the machine on which the compose is running on.
services:
db:
image: postgres:13-alpine
environment:
- POSTGRES_USER=myproject
- POSTGRES_PASSWORD
This is an encrypted file created with env-vault. Vaults are created with the create
sub-command and can be viewed using the view
sub-command. Let's create a vault named prod.env
to hold our production secrets:
env-vault create prod.env
Running the command above will prompt for a new password and then open your favorite $EDITOR
to input the environment variables. Let's add the POSTGRES_PASSWORD
secret now:
POSTGRES_PASSWORD=passwordformyproject
Save the file and close your editor. env-vault will encrypt the plain text using AES256-GCM symmetrical encryption.
env-vault takes advantage of a POSIX standard that uses --
to signify the end of command line options. Meaning that everything after that can get passed on to a sub-command. Let's see how we can use that to decrypt secrets for docker-compose:
env-vault prod.env docker-compose -- up -d
It looks somewhat mad, but essentially env-vault will decrypt prod.env
and expose found environment variables to
docker-compose
. The command would otherwise look like so:
docker-compose up -d
Now lets inspect the container to see that the POSTGRES_PASSWORD
environment variable was successfully injected:
$ docker-compose exec db env | grep POSTGRES_PASSWORD
POSTGRES_PASSWORD=passwordformyproject
Wooo!!! 🚀
You can further ease the workflow by setting the ENV_VAULT_PASSWORD
environment variable. env-vault will use it to decrypt vaults automatically and you won't get prompted for a password any time you interact with env-vault.
export ENV_VAULT_PASSWORD=somepassword
This works exceptionally well when docker-compose is used with Makefiles:
up:
env-vault prod.env docker-compose -- up -d
so now you can run:
make up
and env-vault will take it from there to make it work automagically! ✨
You can contribute in many ways and not just by changing the code! If you have any ideas, just open an issue and tell me what you think.
Contributing code-wise - please fork the repository and submit a pull request.
MIT