SkillAgentSearch skills...

Secretenv

A command-line tool that fetches secrets from secret management services (such as Google Cloud Secret Manager, AWS Secrets Manager) and executes commands with those secrets as environment variables.

GenerateConvertImprove

Install / Use

/learn @hakadoriya/Secretenv
About this skill

Quality Score

0/100

Supported Platforms

Universal

README

secretenv

A command-line tool that fetches secrets from secret management services (such as Google Cloud Secret Manager, AWS Secrets Manager) and executes commands with those secrets as environment variables.

Overview

secretenv retrieves secrets stored in dotenv (.env) format from secret management services and runs specified commands with those secrets as environment variables. This enables secure secret management following the 12 Factor App methodology without changing your existing dotenv-based configuration.

Features

  • Secure Secret Management: Retrieve secrets from centralized secret management services instead of storing them in files
  • Simple Integration: Works as a wrapper command like godotenv, easily integrated into existing applications
  • Multiple Provider Support: Extensible architecture supporting various secret management services

Installation

Using Go install

CGO_ENABLED=0 go install github.com/hakadoriya/secretenv/cmd/secretenv@latest

Download Binary

Run the following command to install the latest binary to /usr/local/bin.

INSTALL_DIR=/usr/local/bin
VERSION=$(curl -w '%header{location}' -o /dev/null -RSs https://github.com/hakadoriya/secretenv/releases/latest | grep -o "[^/]*$")
curl -LR https://github.com/hakadoriya/secretenv/releases/download/${VERSION}/secretenv_${VERSION}_$(uname -s)_$(uname -m).tar.gz | (cd ${INSTALL_DIR} && sudo tar -xf - secretenv)

Alternatively, download the latest binary from the Releases page.

Usage

Basic Usage

secretenv --provider <provider> --secret <secret-name> -- <command> [args...]

Or using environment variables:

export SECRETENV_PROVIDER=<provider>
export SECRETENV_SECRET=<secret-name>
secretenv -- <command> [args...]

Options

| Option | Environment Variable | Description | Required | |--------|---------------------|-------------|----------| | --provider | SECRETENV_PROVIDER | Secret management service provider (e.g., aws) | Yes | | --secret | SECRETENV_SECRET | Secret name containing the .env file | Yes | | --secret-version | SECRETENV_SECRET_VERSION | Secret version to retrieve (default: provider-specific latest version) | No |

Examples

Running with AWS Secrets Manager

# Using command-line options
secretenv --provider aws --secret my-app-secrets -- ./myapp

# Using environment variables
export SECRETENV_PROVIDER=aws
export SECRETENV_SECRET=my-app-secrets
secretenv -- ./myapp arg1 arg2

# Specifying a version
secretenv --provider aws --secret my-app-secrets --secret-version AWSCURRENT -- ./myapp

Dockerfile Example

FROM alpine:latest

# Install secretenv
COPY secretenv /usr/local/bin/secretenv

# Set environment variables
ENV SECRETENV_PROVIDER=aws
ENV SECRETENV_SECRET=my-app-secrets

# Run application with secretenv
ENTRYPOINT ["secretenv", "--"]
CMD ["./myapp"]

Supported Providers

aws provider: AWS Secrets Manager

Prerequisites:

  • AWS credentials configured (via environment variables, IAM role, or AWS credentials file)
  • Appropriate IAM permissions to access Secrets Manager

Default Version:

  • If --secret-version is not specified, AWSCURRENT is used

Example:

aws login
secretenv --provider aws --secret my-app-secrets -- ./myapp

gcloud provider: Google Cloud Secret Manager

Prerequisites:

  • Google Cloud SDK installed and authenticated or using service account credentials
  • Appropriate IAM permissions to access Secret Manager

Default Version:

  • If --secret-version is not specified, latest is used

Example:

gcloud auth application-default login
secretenv --provider gcloud --secret my-app-secrets -- ./myapp

1password provider: 1Password

Prerequisites:

  • 1Password Service Account Token
  • Environment variable OP_SERVICE_ACCOUNT_TOKEN is set

Default Version:

  • 1Password does not have a version concept, so the --secret-version option is ignored.

Example:

export OP_SERVICE_ACCOUNT_TOKEN=****
secretenv --provider 1password --secret "op://vault/item/field" -- ./myapp

shell provider: Shell

Prerequisites:

  • Shell command to execute

Default Version:

  • Shell does not have a version concept, so the --secret-version option is ignored.

Example:

secretenv --provider shell --secret "op read op://vault/item/field" -- ./myapp

.env File Format

The secret value should be stored in .env format.

Example Secret Content

# Database Configuration
DB_HOST=localhost
DB_PORT=5432
DB_NAME=myapp
DB_USER=admin
DB_PASSWORD="p@ssw0rd"

# API Keys
API_KEY=abc123xyz
SECRET_TOKEN='secret-token-value'

# Feature Flags
FEATURE_X_ENABLED=true

License

This project is licensed under the Apache 2.0 License - see the LICENSE file for details.

Related Skills

node-connect

347.2k

Diagnose OpenClaw node connection and pairing failures for Android, iOS, and macOS companion apps

frontend-design

108.0k

Create distinctive, production-grade frontend interfaces with high design quality. Use this skill when the user asks to build web components, pages, or applications. Generates creative, polished code that avoids generic AI aesthetics.

openai-whisper-api

347.2k

Transcribe audio via OpenAI Audio Transcriptions API (Whisper).

qqbot-media

347.2k

QQBot 富媒体收发能力。使用 <qqmedia> 标签,系统根据文件扩展名自动识别类型(图片/语音/视频/文件)。

hakadoriya

View profile

View on GitHub
GitHub Stars16
CategoryDevelopment
Updated3mo ago
Forks0
hakadoriya/secretenv

Languages

Go

Security Score

87/100

Audited on Dec 23, 2025

No findings