zenv
is enhanced env
command to manage environment variables in CLI.
- Load environment variable from
.env
file by- Static values
- Reading file content
- Executing command
- Securely save, generate and get secret values with Keychain, inspired by envchain (supported only macOS)
- Replace command line argument with loaded environment variable
go install github.com/m-mizutani/zenv@latest
Can set environment variable in same manner with env
command
$ zenv POSTGRES_DB=your_local_dev_db psql
Automatically load .env
file and
$ cat .env
POSTGRES_DB=your_local_db
POSTGRES_USER=test_user
PGDATA=/var/lib/db
$ zenv psql -h localhost -p 15432
# connecting to your_local_db on localhost:15432 as test_user
# save a secret value
$ zenv secret write @aws-account AWS_SECRET_ACCESS_KEY
Value: # no echo
$ zenv secret write @aws-account AWS_ACCESS_KEY_ID
Value: # no echo
# load a secret value and execute command "aws s3 ls"
$ zenv @aws-account aws s3 ls
2020-06-19 03:53:13 my-bucket1
2020-04-18 06:45:44 my-bucket2
...
secret write
command format is zenv secret write <Namespace> <Key>
to save a secret value. In above case, @aws-account
is Namespace and AWS_SECRET_ACCESS_KEY
& AWS_ACCESS_KEY_ID
are Key (Environment variable name). Namespace must have @
prefix.
zenv <Namespace> <Command>
executes <Command>
with loaded secret value(s) from <Namespace>
as environment variables. If multiple environment variables are saved in the <Namespace>
, all variables are loaded.
All of CLI argument, loading .env
and secret can be used in parallel. An example is following.
$ zenv secret write @aws-account AWS_SECRET_ACCESS_KEY
Value: # no echo
$ cat .env
AWS_ACCESS_KEY_ID=abcdefghijklmn
$ zenv @aws-account AWS_REGION=jp-northeast-1 aws s3 ls
# access to S3 with AWS_SECRET_ACCESS_KEY, AWS_SECRET_ACCESS_KEY and AWS_REGION
Also, -e
option specifies a file used as .env
.
You can see loaded environment variable by zenv with zenv list <...>
command.
$ zenv list @aws-account AWS_REGION=jp-northeast-1
AWS_REGION=jp-northeast-1
AWS_ACCESS_KEY_ID=abcdefghijklmn
AWS_SECRET_ACCESS_KEY=******************************** (hidden)
You can specify arguments to specify loading environment in same manner with executing command. Of curse secret values loaded from Keychain will be masked.
zenv
can override environment variable by multiple -e
option.
$ cat .env
POSTGRES_DB=your_local_db
POSTGRES_USER=test_user
$ cat .env.local
POSTGRES_DB=your_local_dev_db
$ zenv -e .env -e .env.local psql
# Access to your_local_dev_db with test_user
The priority for loading environment variables is as follows: first, the -e
option, followed by additional -e
options, and finally, the arguments of the zenv
command.
$ cat .env1
COLOR=blue
$ cat .env2
COLOR=orange
$ zenv -e .env1 -e .env2 COLOR=red echo %COLOR
red
secret generate
subcommand can generate random value like token and save to KeyChain.
$ zenv secret generate @my-project MYSQL_PASS
$ zenv secret generate @my-project -n 8 TMP_TOKEN # set length to 8
$ zenv list @my-project
MYSQL_PASS=******************************** (hidden)
TMP_TOKEN=******** (hidden)
secret list
subcommand shows list of namespaces.
$ zenv secret list
@aws
@local-db
@staging-db
You can also can put Namespace for secret values into .env
file. Then, zenv
always loads secret values without Namespace argument.
$ zenv secret write @aws AWS_SECRET_ACCESS_KEY
Value # <- input
$ cat .env
@aws
AWS_REGION=jp-northeast-1
AWS_ACCESS_KEY_ID=abcdefghijklmn
$ zenv list
AWS_REGION=jp-northeast-1
AWS_ACCESS_KEY_ID=abcdefghijklmn
AWS_SECRET_ACCESS_KEY=******************************** (hidden)
zenv
replaces words having %
prefix with existing another environment variable.
$ cat .env
MYTOOL_DB_PASSWD=abc123
PGPASSWORD=%MYTOOL_DB_PASSWD
$ zenv list
MYTOOL_DB_PASSWD=abc123
PGPASSWORD=abc123
zenv
replaces words having %
prefix with loaded environment variable.
$ cat .env
TOKEN=abc123
$ zenv curl -v -H "Authorization: bearer %TOKEN" http://localhost:1234
(snip)
> GET /api/v1/alert HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.64.1
> Accept: */*
> Authorization: bearer abc123
(snip)
Sometime, we need to load large content into environment variable. For example, Google OAuth2 credential file is slightly large to write in .env
file and complicated. zenv
can load file content into environment variable with &
prefix.
$ cat .env
GOOGLE_OAUTH_DATA=&tmp/client_secret_00000-abcdefg.apps.googleusercontent.com.json
$ zenv list
GOOGLE_OAUTH_DATA={"web":{"client_id":"00000...(snip)..."}}
$ zenv ./some-oauth-server
zenv
recognizes environment value as command by surrounding with `
backquote (backtick). The feature is useful to set short live token that provided CLI command. zenv
set standard output as value of environment variable.
$ cat .env
GOOGLE_TOKEN=`gcloud auth print-identity-token`
$ zenv list
GOOGLE_TOKEN=eyJhbGciOiJS...(snip)
$ zenv ./some-app-requires-token
For example, when migrating PC, we need to transfer every data including secrets. So backup and restore features are required. zenv
provides export and import command as following.
$ zenv secret write @aws AWS_SECRET_ACCESS_KEY
Value: # <- input secret
$ zenv secret export -o backup.json
input passphrase: # <- input passphrase
exported secrets to backup.json
$ cat backup.json
{
"CreatedAt": "2022-03-27T13:37:06.577827+09:00",
"Encrypted": "wr/s6Z5T4diP6Ihu1318tL2tRA2Ch2LImAB1QEJi0...(snip)..."
}
secret export
command dumps encrypted all secrets to JSON file. You can filter dumped namespace by -n
option.
After that, move backup.json
to new machine and import it.
$ zenv secret import backup.json
input passphrase: # <- input passphrase
$ zenv list @aws
AWS_SECRET_ACCESS_KEY=******************************** (hidden)
Passphrase must be same when exporting and importing.
Apache License 2.0