Single source of truth for environment variables; keeping secrets secret

Answered

I'm trying to figure out how to have a single source of truth for environment variables for my project.

By putting my env vars in an .env file, I can use the EnvFile plugin to load them into my IntelliJ run configurations.
And by installing direnv and having an .envrc file with the following content:

#!/usr/bin/env bash
for line in $(cat .env); do
eval "export $line"
done

, I can ensure that every time I cd into my project directory, my terminal will load in the relevant environment variables (and unload them when I cd out).

So far, so good! Environment variables are the same in IntelliJ and the terminal.

However, I'd like to source my secrets from some other file than the .env file. That way, I (or someone else developing on my project, using a similar method) can't accidentally commit secrets.

In a normal .sh script, or in the .envrc file, I could call out to my secrets store to bind secret values to environment variables, thus keeping them outside the lexical scope of my project. However, I cannot do this in my .env file, which is basically a key-value document, with no scripting powers.

Has anyone else tackled this problem somehow? Perhaps there is a way that I can just call a script to load in environment vars into my IntelliJ runtime environment, rather than use the "dumb" .env file.


EDIT: Just putting the env vars file in .gitignore is a solution, but I don't feel it's strong enough. I'd like my secrets to be outside of the lexical scope of my project, and maybe encrypted at rest, which they can be if I used something like https://www.passwordstore.org/

6 comments
Comment actions Permalink

You can start IntelliJ IDEA from a terminal by running your script setting the environment first and then calling IDE startup script.

0
Comment actions Permalink

Hey Serge, thanks for the suggestion. That would indeed enable the full power of the terminal, but I think it would be pretty clunky, particularly when it comes to restarts, which are very frequent for me some days where caches need to be invalidated often :) I was hoping to have more of an integrated solution.

0
Comment actions Permalink

I have same problem, plugins sometimes fail.

Running PyCharm from the terminal is not a solution, because sometimes you need to change env vars, so you need to re run it. Please, add feature "load variables from file" like in AppCode Environment variables and program arguments | AppCode (jetbrains.com)

0
Comment actions Permalink

Egor Klepikov this issue is also similar to this one: 

Run Configuration: Allow environment variables to load from .env file : PY-5543 (jetbrains.com) 125 votes

How many upvotes should be made to implement this feature?
This issue (PY-5543) was created 10 years ago, also, it's not hard to implement.
In what way should we request this feature in order to be considered?

0
Comment actions Permalink

Vadim Stupakov 

Yes, PY-5543 is essentially the same request, only submitted for PyCharm specifically, while IDEA-205637 and IDEA-137820 are broader, platform-wide tasks. Voting/commenting for all three would be the smartest move here.

Developers are aware of the issue, and will put it on the roadmap as soon as similar issues come into focus and resources become available. Thanks for your patience.

1

Please sign in to leave a comment.