A Node.js CLI tool that retrieves secrets from vaults and injects them as environment variables into your running applications.
- 🔐 Retrieve secrets from AWS Secrets Manager
- 🌍 Inject secrets as environment variables
- 📁 Output secrets to file with secure permissions (0400)
- 🚀 Run any command with injected secrets
- 🔍 Debug logging support
- 📦 Works globally or project-specific
- 🛡️ Secure credential handling
- 🔄 JSON secret parsing
-
Install the tool:
npm install -g env-secrets
-
Run a command with secrets:
env-secrets aws -s my-secret-name -r us-east-1 -- echo "Hello, ${USER_NAME}!"
-
Run your application with secrets:
env-secrets aws -s my-app-secrets -r us-west-2 -- node app.js
-
Output secrets to a file:
env-secrets aws -s my-app-secrets -r us-west-2 -o secrets.env
- Node.js 18.0.0 or higher
- AWS CLI (for AWS Secrets Manager integration)
- AWS credentials configured (via AWS CLI, environment variables, or IAM roles)
npm install -g env-secretsnpm install env-secretsWhen using project-specific installation, run using npx:
npx env-secrets ...For detailed AWS setup instructions, see AWS Configuration Guide.
Retrieve secrets from AWS Secrets Manager and inject them as environment variables:
env-secrets aws -s <secret-name> -r <region> -p <profile> [-- <program-to-run>] [-o <output-file>]# Create a secret
aws secretsmanager create-secret \
--name my-app-secrets \
--secret-string '{"DATABASE_URL":"postgres://user:pass@localhost:5432/db","API_KEY":"abc123"}'
# Use the secret in your application
env-secrets aws -s my-app-secrets -r us-east-1 -- node app.js-s, --secret <secret-name>(required): The name of the secret in AWS Secrets Manager-r, --region <region>(optional): AWS region where the secret is stored. If not provided, usesAWS_DEFAULT_REGIONenvironment variable-p, --profile <profile>(optional): Local AWS profile to use. If not provided, usesAWS_ACCESS_KEY_IDandAWS_SECRET_ACCESS_KEYenvironment variables-o, --output <file>(optional): Output secrets to a file instead of injecting into environment variables. File will be created with 0400 permissions and will not overwrite existing files-- <program-to-run>: The program to run with the injected environment variables (only used when-ois not specified)
- Create a secret using AWS CLI:
Using a profile:
aws secretsmanager create-secret \
--region us-east-1 \
--profile testuser \
--name local/sample \
--description "local/sample secret" \
--secret-string "{\"user\":\"testuser\",\"password\":\"mypassword\"}"Using env vars
aws secretsmanager create-secret \
--region us-east-1 \
--name local/sample \
--description "local/sample secret" \
--secret-string "{\"user\":\"marka\",\"password\":\"mypassword\"}"- List the secret using AWS CLI:
Using a profile:
aws secretsmanager get-secret-value \
--region us-east-1 \
--profile marka \
--secret-id local/sample \
--query SecretStringUsing env vars:
aws secretsmanager get-secret-value \
--region us-east-1 \
--secret-id local/sample \
--query SecretString- Run a command with injected secrets:
Using a profile:
env-secrets aws -s local/sample -r us-east-1 -p marka -- echo \${user}/\${password}Using env vars:
env-secrets aws -s local/sample -r us-east-1 -- echo \${user}/\${password}- Run a Node.js application with secrets:
env-secrets aws -s my-app-secrets -r us-west-2 -- node app.js- Check environment variables:
env-secrets aws -s local/sample -r us-east-1 -p marka -- env | grep -E "(user|password)"- Use with Docker containers:
env-secrets aws -s docker-secrets -r us-east-1 -- docker run -e DATABASE_URL -e API_KEY my-app- Output secrets to a file:
# Output secrets to a file (file will have 0400 permissions)
env-secrets aws -s my-app-secrets -r us-east-1 -o secrets.env
# The file will contain export statements like:
# export DATABASE_URL=postgres://user:pass@localhost:5432/db
# export API_KEY=abc123- File output with profile:
env-secrets aws -s my-secret -r us-east-1 -p my-profile -o /tmp/secrets.env- File output prevents overwriting existing files:
# First run - creates the file
env-secrets aws -s my-secret -r us-east-1 -o secrets.env
# Second run - will fail with error message
env-secrets aws -s my-secret -r us-east-1 -o secrets.env
# Error: File secrets.env already exists and will not be overwritten- 🔐 Credential Management: The tool respects AWS credential precedence (environment variables, IAM roles, profiles)
- 🛡️ Secret Exposure: Secrets are only injected into the child process environment, not logged
- 🔒 Network Security: Uses AWS SDK's built-in security features for API calls
- 📝 Audit Trail: AWS CloudTrail logs all Secrets Manager API calls
- 🚫 No Persistence: Secrets are not stored locally or cached (unless using
-oflag) - 📁 File Security: When using
-oflag, files are created with 0400 permissions (read-only for owner) and existing files are never overwritten
-
"Unable to connect to AWS"
- Verify AWS credentials are configured correctly
- Check if the specified region is valid
- Ensure network connectivity to AWS services
-
"Secret not found"
- Verify the secret name exists in the specified region
- Check if you have permissions to access the secret
- Ensure the secret name is correct (case-sensitive)
-
"ConfigError"
- Verify AWS profile configuration in
~/.aws/credentials - Check if environment variables are set correctly
- Ensure IAM role permissions if using EC2/ECS
- Verify AWS profile configuration in
-
Environment variables not injected
- Verify the secret contains valid JSON
- Check if the secret is accessible
- Use debug mode to troubleshoot:
DEBUG=env-secrets env-secrets aws ...
Enable debug logging to troubleshoot issues:
# Debug main application
DEBUG=env-secrets env-secrets aws -s my-secret -r us-east-1 -- env
# Debug vault-specific operations
DEBUG=env-secrets,env-secrets:secretsmanager env-secrets aws -s my-secret -r us-east-1 -- envThe docs site (Docusaurus) lives under website/. Run it locally:
cd website
npm install
npm run startTo build static files:
npm run build
npm run serveThe site is configured for GitHub Pages at https://markcallen.github.io/env-secrets/
- Install Node.js using nvm (recommended):
nvm useOr use Node.js 24 (LTS) directly.
- Install dependencies:
npm install -g yarn
yarnnpx ts-node src/index.ts aws -s local/sample -r us-east-1 -p marka -- env
The application uses debug-js for logging. Enable debug logs by setting the DEBUG environment variable:
Debug just env-secrets
DEBUG=env-secrets npx ts-node src/index.ts aws -s local/sample -r us-east-1 -p marka -- envDebug env-secrets and the secretsmanager vault
DEBUG=env-secrets,env-secrets:secretsmanager npx ts-node src/index.ts aws -s local/sample -r us-east-1 -p marka -- env
For local development without AWS, you can use LocalStack to emulate AWS services.
- Install LocalStack:
If you've started a devcontainer then localstack is already installed and has access to your hosts docker.
For local development use docker compose.
For kubernetes you can install it via the helm chart:
helm repo add localstack-repo https://helm.localstack.cloud
helm upgrade --install localstack localstack-repo/localstack --namespace localstack --create-namespace
- Start LocalStack:
To use localstack from within a devcontainer run:
localstack start -d
For local development you can start it with docker compose.
docker compose up -d
- Configure AWS CLI for LocalStack:
Set up your AWS CLI to work with LocalStack by creating a profile:
aws configure --profile localstack
Use:
AWS Access Key ID [None]: test
AWS Secret Access Key [None]: test
Default region name [None]: us-east-1
Default output format [None]:
Then export the profile and the endpoint url:
export AWS_PROFILE=localstack
export AWS_ENDPOINT_URL=http://localhost:4566
To use the env vars set:
export AWS_ACCESS_KEY_ID=test
export AWS_SECRET_ACCESS_KEY=test
export AWS_DEFAULT_REGION=us-east-1
export AWS_ENDPOINT_URL=http://localhost:4566
for kubernetes the endpoint url is:
export AWS_ENDPOINT_URL=http://localstack.localstack:4566
- Using awslocal
awslocal secretsmanager create-secret \
--name local/sample \
--secret-string '{"username": "marka", "password": "mypassword"}'
awslocal secretsmanager list-secrets
awslocal secretsmanager get-secret-value \
--secret-id local/sample
Create a devpod using Kubernetes provider:
devpod up --id env-secretes-dev --provider kubernetes --ide cursor git@github.com:markcallen/env-secrets.gitThis project includes both unit tests and comprehensive end-to-end tests.
Run the unit test suite:
# Run all unit tests
npm run test:unit
# Run unit tests with coverage
npm run test:unit:coverageThe end-to-end tests use LocalStack to emulate AWS Secrets Manager and test the full CLI functionality.
-
Install awslocal (required for e2e tests):
# Using pip (recommended) pip install awscli-local # Or using npm npm install -g awscli-local
-
Start LocalStack:
docker-compose up -d localstack
-
Wait for LocalStack to be ready:
# Check LocalStack status docker-compose logs localstack # Test connectivity awslocal sts get-caller-identity
# Run all tests (unit + e2e)
npm test
# Run only end-to-end tests
npm run test:e2e
# Run e2e tests with coverage
npm run test:e2e:coverage
# Run specific e2e test
yarn build && npx jest --config jest.e2e.config.js __e2e__/index.test.ts -t "test name"The end-to-end test suite includes:
- CLI Help Commands: Tests for help, version, and general CLI functionality
- AWS Secrets Manager Integration: Tests for secret retrieval using different credential methods
- Output to File: Tests for writing secrets to files with proper permissions
- Program Execution: Tests for executing programs with injected environment variables
- Error Handling: Tests for various error scenarios and edge cases
- AWS Profile Support: Tests for both default and custom AWS profiles
- Region Support: Tests for different AWS regions
awslocal not found:
# Install awslocal
pip install awscli-local
# Verify installation
awslocal --versionLocalStack not responding:
# Check LocalStack status
docker-compose ps
# Restart LocalStack
docker-compose restart localstack
# Check logs
docker-compose logs localstackTests timing out:
- Ensure LocalStack is fully started before running tests
- Check that port 4566 is not blocked
- Verify Docker is running properly
The e2e tests use these environment variables:
LOCALSTACK_URL: LocalStack endpoint (default:http://localhost:4566)AWS_ACCESS_KEY_ID: AWS access key (default:test)AWS_SECRET_ACCESS_KEY: AWS secret key (default:test)AWS_DEFAULT_REGION: AWS region (default:us-east-1)DEBUG: Enable debug output (optional)
Note: The tests automatically clean up AWS environment variables (like AWS_PROFILE, AWS_SESSION_TOKEN, etc.) to ensure a clean test environment.
For more detailed information, see the E2E Test Documentation.
- Login to npm:
npm login- Dry run release:
npm run release -- patch --dry-run- Publish release:
npm run release -- patchWe welcome contributions! Please follow these steps:
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Make your changes
- Add tests for new functionality
- Run the test suite (
npm test) - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
- Follow the existing code style (ESLint + Prettier)
- Add tests for new functionality
- Update documentation for new features
- Ensure all tests pass before submitting
Distributed under the MIT License. See LICENSE for more information.
Mark C Allen - @markcallen
Project Link: https://github.com/markcallen/env-secrets
See GitHub Releases for a complete changelog.