envy

envy is a command-line application for fetching shared environment variables.

Values are stored securely in AWS Parameter Store, and can be saved to a local .env file or directly sourced into your shell.

Installation

Releases are published on Github.

with Homebrew 🍺

A Homebrew cask is available at haines/tap.

$ brew cask install haines/tap/envy

with Docker 🐳

Docker images are tagged with release versions. The latest tag follows the master branch.

$ docker pull ahaines/envy:$version

manually 🔧

envy is distributed as a static binary, so installation just requires it to be downloaded from the releases page, then made executable:

$ curl -L $url -o /usr/local/bin/envy
$ chmod +x /usr/local/bin/envy

Binaries can be verified by running

$ gpg --keyserver ha.pool.sks-keyservers.net --recv-keys 6E225DD62262D98AAC77F9CDB16A6F178227A23E
gpg: key B16A6F178227A23E: public key "Andrew Haines <andrew@haines.org.nz>" imported

$ curl -fsSL "${url}.asc" | gpg --verify - /usr/local/bin/envy
gpg: Signature made Tue Apr 10 11:18:05 2018 UTC
gpg:                using RSA key 6E225DD62262D98AAC77F9CDB16A6F178227A23E
gpg: Good signature from "Andrew Haines <andrew@haines.org.nz>" [unknown]

Usage

$ envy --input /path/to/template --output /path/to/result

To see details of all the command-line options, run

$ envy --help

Templates

The input template file is a Go text template, which has access to the following functions in interpolations:

• param "path" "to" "value" - fetches a value from AWS Parameter Store
• quote "value" - wraps a value in single quotes, escaping embedded single quotes with '\'' (closing the string, concatenating a literal ', and re-opening the string)
• var "name" - fetches a value supplied with --var name=value at the command line

For example,

export FOO={{ param "secrets" "foo" | quote }}

would render as

export FOO='bar'

if the value bar was stored in Parameter Store under the key /secrets/foo.

File permissions

When writing to a file, envy ensures that the file's permissions are 600 (only accessible by its owner). To customize the permissions, use e.g. --chmod 640. To leave the permissions alone, use --no-chmod.

Sourcing output directly

envy reads from stdin and writes to stdout by default, so you can source things directly into your shell (assuming you trust the origin of the template!):

# Bash 4, Zsh
$ source <(envy --input /path/to/template)

# Bash 3
$ source /dev/stdin <<<"$(envy --input /path/to/template)"

Authenticating with AWS

with environment variables

Credentials are taken from the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables, if set.

with a shared credentials file

If the access key environment variables aren't set, envy can use a shared credentials file, just like the aws command-line interface.

If the file is not located at the default path (~/.aws/credentials), its location can be specified with the AWS_SHARED_CREDENTIALS_FILE environment variable.

The profile to use can be set by either the --profile command-line option, or the AWS_PROFILE environment variable. If no profile is specified, the default profile will be used (if it exists).

with an EC2 instance IAM role

When running on an EC2 instance, if the access key environment variables aren't set, envy can use the instance's IAM role to authenticate. You don't need to manually specify any credentials in this case.