Automate .env and secret management with Envilder
Streamline your environment setup with AWS Parameter Store
Envilder is a CLI tool for .env automation, AWS SSM secrets management, and secure environment variable sync. Generating and maintaining consistent .env files is a real pain point for any development team. From outdated secrets to insecure practices, the risks are tangible. Envilder eliminates these pitfalls by centralizing and automating secret management across real-world environments (dev, test, production) in a simple, secure, and efficient way. Use Envilder to automate .env files, sync secrets with AWS Parameter Store, and streamline onboarding and CI/CD workflows.
- Desync between environments (dev, prod)
- Secrets not properly propagated across team members
- CI/CD pipeline failures due to outdated or missing .env files
- Slow and manual onboarding processes
- Security risks from sharing secrets via Slack, email, or other channels
- Insecure .env practices and manual secret sharing
- π‘οΈ Centralizes secrets in AWS Parameter Store
- βοΈ Generates .env files automatically for every environment
- π Applies changes idempotently and instantly
- π Improves security: no need to share secrets manually; everything is managed via AWS SSM
- π₯ Simplifies onboarding and internal rotations
- π Enables cloud-native, infrastructure-as-code secret management
- π€ Perfect for DevOps, CI/CD, and team sync
- ποΈ Envilder βοΈ
- π Strict access control β IAM policies define access to secrets across stages (dev, staging, prod)
- π Auditable β All reads/writes are logged in AWS CloudTrail
- 𧩠Single source of truth β No more Notion, emails or copy/paste of envs
- π Idempotent sync β Only whatβs in your map gets updated. Nothing else is touched
- 𧱠Zero infrastructure β Fully based on native AWS SSM. No Lambdas, no servers, no fuss
| Feature | Status | Notes |
|---|---|---|
| Mapping-based resolution | β Implemented | |
.env file generation |
β Implemented | |
| AWS profile support | β Implemented | --profile flag |
Import/push mode (--push) |
β Implemented | |
Auto-discovery (--auto) |
β Planned | Detect keys based on env |
Check/sync mode (--check) |
β Planned | Diff local vs remote |
| Webhook/Slack notification | β Planned | On push/pull events |
| Hierarchical mapping | β Not yet | Flat mapping only |
| Plugin system | β Not yet | SSM is the only backend (for now) |
π Requirements:
- Node.js v20+ (cloud-native compatible)
- AWS CLI installed and configured
- IAM user/role with
ssm:GetParameter,ssm:PutParameter
npm install -g envilderπ‘ New to AWS SSM? AWS Systems Manager Parameter Store provides secure storage for configuration data and secrets:
Watch how easy it is to automate your .env management in less than 1 minute:
After configuring the AWS CLI and ensuring you have the necessary permissions to create SSM parameters, you can begin pushing your first environment variables.
-
Create a mapping file:
{ "DB_PASSWORD": "/my-app/db/password" } -
Push a secret to AWS SSM:
envilder --push --key=DB_PASSWORD --value=12345 --ssm-path=/my-app/db/password
Once your secrets are stored in AWS, you can easily generate or synchronize your local .env files:
-
Generate your .env file from AWS SSM:
envilder --map=param-map.json --envfile=.env
Your secrets are now managed and versioned from AWS SSM. Add .env to your .gitignore for security.
Envilder is designed for automation, onboarding, and secure cloud-native workflows.
graph LR
A["Mapping File<br/>(param-map.json)"] --> B[Envilder]:::core
C["Environment File<br/> '.env' or --key"] --> B
D["AWS Credentials"]:::aws --> B
E["AWS SSM"]:::aws --> B
B --> F["Pull/Push Secrets πΎ"]
classDef aws fill:#ffcc66,color:#000000,stroke:#333,stroke-width:1.5px;
classDef core fill:#1f3b57,color:#fff,stroke:#ccc,stroke-width:2px;
- Create a new
.envfile like'ENV_VAR=12345' - Define mappings in a JSON file :
{"ENV_VAR": "ssm/path"} - Run Envilder:
--pushto upload, or--map+--envfileto generate - Envilder syncs secrets securely with AWS SSM Parameter Store using your AWS credentials
- Result: your secrets are always up-to-date, secure, and ready for any environment
Q: What is Envilder?
A: Envilder is a CLI tool for automating .env and secret management using AWS SSM Parameter Store.
Q: How does Envilder improve security?
A: Secrets are never stored in code or shared via chat/email. All secrets are managed and synced securely via AWS SSM.
Q: Can I use Envilder in CI/CD pipelines?
A: Yes! Envilder is designed for automation and works seamlessly in CI/CD workflows.
Q: Does Envilder support multiple AWS profiles?
A: Yes, you can use the --profile flag to select different AWS credentials.
Q: What environments does Envilder support?
A: Any environment supported by AWS SSMβdev, test, staging, production, etc.
Q: Is Envilder open source?
A: Yes, licensed under MIT.
π§ Planned features:
- π Drift detection (
--check) - π§ Auto-discovery (
--auto) - π¨ Slack/Webhook notifications
- π Plugin system (Vault, Secrets Manager, etc.)
π See full ROADMAP.md
All help is welcome β PRs, issues, ideas!
- π§ Use our Pull Request Template
- π§ͺ Add tests where possible
- π¬ Feedback and discussion welcome
MIT © Marçal Albert See LICENSE