Automate .env and secret management with Envilder
Streamline your environment setup with AWS Parameter Store
Envilder is a CLI tool for .env automation, AWS SSM secrets management, and secure environment variable sync. Generating and maintaining consistent .env files is a real pain point for any development team. From outdated secrets to insecure practices, the risks are tangible. Envilder eliminates these pitfalls by centralizing and automating secret management across real-world environments (dev, test, production) in a simple, secure, and efficient way. Use Envilder to automate .env files, sync secrets with AWS Parameter Store, and streamline onboarding and CI/CD workflows.
- Desync between environments (dev, prod)
- Secrets not properly propagated across team members
- CI/CD pipeline failures due to outdated or missing .env files
- Slow and manual onboarding processes
- Security risks from sharing secrets via Slack, email, or other channels
- Insecure .env practices and manual secret sharing
- π‘οΈ Centralizes secrets in AWS Parameter Store
- βοΈ Generates .env files automatically for every environment
- π Applies changes idempotently and instantly
- π Improves security: no need to share secrets manually; everything is managed via AWS SSM
- π₯ Simplifies onboarding and internal rotations
- π Enables cloud-native, infrastructure-as-code secret management
- π€ Perfect for DevOps, CI/CD, and team sync
- ποΈ Envilder βοΈ
- π Strict access control β IAM policies define access to secrets across stages (dev, staging, prod)
- π Auditable β All reads/writes are logged in AWS CloudTrail
- 𧩠Single source of truth β No more Notion, emails or copy/paste of envs
- π Idempotent sync β Only whatβs in your map gets updated. Nothing else is touched
- 𧱠Zero infrastructure β Fully based on native AWS SSM. No Lambdas, no servers, no fuss
- π€ GitHub Action β Integrate directly in CI/CD workflows
- π€ Push & Pull β Bidirectional sync between local
.envand AWS SSM - π― AWS Profile support β Use
--profileflag for multi-account setups
π Requirements:
- Node.js v20+ (cloud-native compatible)
- AWS CLI installed and configured
- IAM user/role with
ssm:GetParameter,ssm:PutParameter
pnpm add -g envilderπ‘ New to AWS SSM? AWS Systems Manager Parameter Store provides secure storage for configuration data and secrets:
Use Envilder directly in your CI/CD workflows with our official GitHub Action:
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v5
with:
role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
aws-region: us-east-1
- name: Pull secrets from AWS SSM
uses: macalbert/envilder/github-action@v0.7.2
with:
map-file: param-map.json
env-file: .envπ View full GitHub Action documentation
Watch how easy it is to automate your .env management in less than 1 minute:
After configuring the AWS CLI and ensuring you have the necessary permissions to create SSM parameters, you can begin pushing your first environment variables.
-
Create a mapping file:
{ "DB_PASSWORD": "/my-app/db/password" } -
Push a secret to AWS SSM:
envilder --push --key=DB_PASSWORD --value=12345 --ssm-path=/my-app/db/password
Once your secrets are stored in AWS, you can easily generate or synchronize your local .env files:
-
Generate your .env file from AWS SSM:
envilder --map=param-map.json --envfile=.env
Your secrets are now managed and versioned from AWS SSM. Add .env to your .gitignore for security.
Envilder is designed for automation, onboarding, and secure cloud-native workflows.
graph LR
A["Mapping File<br/>(param-map.json)"] --> B[Envilder]:::core
C["Environment File<br/> '.env' or --key"] --> B
D["AWS Credentials"]:::aws --> B
E["AWS SSM"]:::aws --> B
B --> F["Pull/Push Secrets πΎ"]
classDef aws fill:#ffcc66,color:#000000,stroke:#333,stroke-width:1.5px;
classDef core fill:#1f3b57,color:#fff,stroke:#ccc,stroke-width:2px;
- Create a new
.envfile like'ENV_VAR=12345' - Define mappings in a JSON file :
{"ENV_VAR": "ssm/path"} - Run Envilder:
--pushto upload, or--map+--envfileto generate - Envilder syncs secrets securely with AWS SSM Parameter Store using your AWS credentials
- Result: your secrets are always up-to-date, secure, and ready for any environment
Q: What is Envilder?
A: Envilder is a CLI tool for automating .env and secret management using AWS SSM Parameter Store.
Q: How does Envilder improve security?
A: Secrets are never stored in code or shared via chat/email. All secrets are managed and synced securely via AWS SSM.
Q: Can I use Envilder in CI/CD pipelines?
A: Yes! Envilder is designed for automation and works seamlessly in CI/CD workflows.
Q: Does Envilder support multiple AWS profiles?
A: Yes, you can use the --profile flag to select different AWS credentials.
Q: What environments does Envilder support?
A: Any environment supported by AWS SSMβdev, test, staging, production, etc.
Q: Is Envilder open source?
A: Yes, licensed under MIT.
We're continuously improving Envilder based on community feedback. Upcoming features include:
- π Multi-backend support (Azure Key Vault, HashiCorp Vault, etc.)
- π Check/sync mode for drift detection
- π§ Auto-discovery for bulk parameter fetching
π View full roadmap with priorities
All help is welcome β PRs, issues, ideas!
- π§ Use our Pull Request Template
- π§ͺ Add tests where possible
- π¬ Feedback and discussion welcome
- ποΈ Check our Architecture Documentation
- π Review our Security Policy
MIT © Marçal Albert
See LICENSE | CHANGELOG | Security Policy
![@dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=64&v=4){kind=small}
![@coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=64&v=4){kind=small}
![@gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=64&v=4){kind=small}
![@google-labs-jules[bot]](https://avatars.githubusercontent.com/in/842251?s=64&v=4){kind=small}