Managing environment variables with SecretsFoundry

Abhishek Choudhary
4 min readMay 2, 2022

I wrote about the different ways of managing environment variables earlier in my post here. To make it easy for us to deal with configuration in our startup at Truefoundry, we wrote a small tool called SecretsFoundry that has really made it quite seamless for all application teams to maintain their configurations in Git. We thought it might be useful for other developer teams and hence decided to open-source it.

Before I go into the details, it will be good to understand whats the problem SecretsFoundry solves. Every application has some non-sensitive and sensitive configuration variable which need to be provided to the application when its running. For the non-sensitive variables, people tend to put the variables in a file and then load the variables into the application using libraries like dotenv. For non-sensitive variables, people either store the values in some secret managers like AWS SecretManager, Hashicorp Vault and then write application code to pull the secrets from the store. The other approach is to have some external system infuse the variables from the secretstore into the application environment — in which case the domain of env variables becomes more of a devops responsibility and developers lose control of it — leading to more bugs and harder debugging when issues happen.

SecretsFoundry tries to solve the issues above by doing the following:

All sensitive and non-sensitive keys can live in one file.

For non-sensitive variables, you can put the variables directly. For sensitive variables, we put the path in the secretstore as the value of those variables. This way, we tell secretsfoundry how to fetch those values. An example of such a file will be:

.env file

NODE_ENV = development
HOST = localhost
DB_NAME = example_app_db
DB_USER = ${aws-secret:/development/example_app/DB_USER}
DB_PASSWORD = ${aws-secret:/development/example_app/DB_PASSWORD}

In the example above, the actual DB_USER and DB_PASSWORD are stored in AWS Secrets Manager. Developers can mention the path in the .env file and secretsfoundry will fetch it for you.

No application specific code to fetch env variables

Secretsfoundry works by infusing the actual values in the app environment before it starts up rather than within the application. This has two…

Abhishek Choudhary

Enterprenuer | Ex-Facebook Hacker | Travel | Musician by aspirations