I have a rule that credentials in environment variables are to only ever be loaded as needed via some sort of secrets manager, optionally adding a wrapper script to do so transparently.

The whole point of passing secrets as environment variables is to avoid having things in files in plain and in known locations easy to scrape up by any malware.

Now we have people going full circle and slapping those into a .env file.

No no see the credentials have been towed outside the environment.

If you run a binary written with bad intentions, you’re doomed anyway.

This is the security model we have currently.

I suppose in a well configured Docker or Kubernetes environment this doesn’t matter that much. Also, in Kubernetes, “secrets” can be passed as read-only files.

CRED=$(fancy-get-cred) do-stuff

do-stuff has ${CRED} but nothing else does. wrap in a shell script.

Global credentials are yuck

What’s the goal?

There are extra steps you can take to try to improve the security against malware, but using environment variables instead of hard coding isn’t really intended for that, I don’t think.

It’s just to stop accidental leaks with stuff like git and other code sharing.

CyberArk is a commercial product that attacks this problem space. It puts an agent process on the host next to your app. Only processes whose fingerprint matches those authorized to access a credential are allowed to fetch it. That fingerprint can be based on the host (known list of production hosts), the os user ID that owns the pid, the path to the executable for the pid, and probably a few more items.

Under that model your app just needs to know the environment that it wants (inject however you want) and the userid it wants to use. At runtime it reaches out to the local cyberark agent to obtain the password secret.