Use DSV With Direnv
direnv is a commonly used tool to load environment variables for projects in the Linux/Mac communities.
direnv is an extension for your shell. It augments existing shells with a new feature that can load and unload environment variables depending on the current directory.
In this workflow, it's common to load environment variables from your $HOME/.envrc (optionally in your .profile ).
Challenges
Keeping credentials in plain text in your .envrc might be a quick solution, but it's not a secure approach.
Removing sensitive values from your .envrc or .env file can be a great step towards improving your security.
Use dsv to retrieve secrets on demand or load in your session context.
When saving environment variables, it's common to see secrets set via environment variables in .envrc or other formats (.env).
export GH_TOKEN="plaintexttoken"
export GITHUB_TOKEN="plaintexttoken"
Instead, leverage dsv to populate your credentials on environment load.
export GH_TOKEN="$(dsv-cli secret read --path "core-services:tokens:github-pat:github-pat" --filter '.data.github-token' --plain --profile mycustomprofilename)"
export GITHUB_TOKEN=$GH_TOKEN
Quick Start on Creating a Secret Like This
Using the DSV CLI, you can create a secret like this:
rolename="core-services-tokens"
secretpath="core-services:tokens:github-pat"
secretpathclient="clients:${secretpath}"
desc="github token for org, repo, and all blanket usage"
secretkey="github-pat"
secretvalue='{"github-token":">>>> SECRET HERE <<<<"}'
dsv secret create \
--path "secrets:${secretpath}:${secretkey}" \
--data "${secretvalue}" \
--desc "${desc}"
dsv secret read --path "core-services:tokens:github-pat:github-pat" --filter '.data.github-token' --plain
Optionally, create a client credential and use this as an alternative profile that has limited access to only a specific path. This is only needed to set up a different profile based on client credentials instead of your normal DSV login.
dsv role create --name "${rolename}"
clientcred=$(dsv client create --role "${rolename}" --plain | jq -c)
DSV Tweaks
When you configure DSV, you can further enhance this approach by leveraging the caching setup. Use a longer cache lifecycle to reduce API calls, and improve performance.
Limit Scope Of Secret When Possible
The secret is still in memory when loaded as an environment variable, so while it's more secure than plain text, you can take it even further by investigating using the DSV SDK directly, as well as minimizing the lifespan of the secret.
For example, instead of loading an environment variable that is in scope for all tools and commands, call it as part of your script like this:
customcli --param foo \
--param bar \
--token $(dsv secret read --path "core-services:tokens:github-pat:github-pat" --filter '.data.github-token' --plain)
In PowerShell, look at Microsoft's documentation about Secret Management With PowerShell
