Skip to content

A better way to store secret environment variables on netlify

License

Notifications You must be signed in to change notification settings

runlevel5/netlify-plugin-ejson-env

Repository files navigation

netlify-plugin-ejson-env

A better way to store secret environment variables on netlify

Usage

Install ejson then generate a key pair:

$ ejson keygen

Public Key:
63ccf05a9492e68e12eeb1c705888aebdcc0080af7e594fc402beb24cce9d14f
Private Key:
75b80b4a693156eb435f4ed2fe397e583f461f09fd99ec2bd1bdef0a56cf6e64

store the private key to environment variable:

$ export EJSON_PRIVATE_KEY="75b80b4a693156eb435f4ed2fe397e583f461f09fd99ec2bd1bdef0a56cf6e64"

please make sure you store this private key in somewhere safe. Please don't lose it!!

then create the secrets.ejson file in your project root folder:

{
  "_public_key": "63ccf05a9492e68e12eeb1c705888aebdcc0080af7e594fc402beb24cce9d14f",
  "environment": {
    "SECRET_VAR1": "secret_in_plaintext"
  }
}

and then encrypt our secrets:

$ ejson encrypt secrets.ejson

the SECRET_VAR1 should now have encrypted value, verify that easily with:

$ cat secrets.ejson

# stripped output
"SECRET_VAR1": "EJ[1:3eCI5YRF+jVXBa3I39lOjuM41HwX3k3dedBVMIIWyUk=:cobOAF#@(*&VLKJL#@"

and let's try to decrypt our secrets:

$ echo $EJSON_PRIVATE_KEY | ejson decrypt --key-from-stdin secrets.ejson

{
  "_public_key": "63ccf05a9492e68e12eeb1c705888aebdcc0080af7e594fc402beb24cce9d14f",
  "environment": {
    "SECRET_VAR1": "secret_in_plaintext"
  }
}

Next, please create a new environment variable in Netlify build settings:

EJSON_PRIVATE_KEY: "75b80b4a693156eb435f4ed2fe397e583f461f09fd99ec2bd1bdef0a56cf6e64"

Build environment

Let's move on to install the plugin in the Netlify UI, use this direct in-app installation link or go to the Plugins directory.

For file-based installation, add the following lines to your netlify.toml file:

[[plugins]]
package = "@runlevel5/netlify-plugin-ejson-env"

  # all inputs are optional, we just show you the defaults below
  [plugins.inputs]

  ejsonPrivateKeyEnvVarName = "EJSON_PRIVATE_KEY" # the environment variable name that contains the EJSON private key as value
  ejsonSecretsFilePath = "./secrets.ejson" # the EJSON file that contains encrypted key-value pairs

To complete file-based installation, from your project's base directory, use npm, yarn, or any other Node.js package manager to add the plugin to devDependencies in package.json.

npm install -D @runlevel5/netlify-plugin-ejson-env

Execution in Netlify

Once installed and configured, the plugin will automatically run in the Netlify CI during its specified Netlify Build lifecycle event and all key-value pairs in the secrets EJSON file would be populated as environment variables.

Executing locally

To test the execution of the Netlify Build lifecycle locally, first ensure that netlify-build is installed:

# Ensure that you have the netlify build command available
# (in future this will be provided via the CLI)
npm install @netlify/build -g

and direnv is installed:

cp .envrc.example .envrc
direnv allow

then in the project working directory, run the build as netlify would with the build bot:

netlify-build

Credits

About

A better way to store secret environment variables on netlify

Topics

Resources

License

Stars

Watchers

Forks

Packages

No packages published