View Source 1Password
1Password is a popular password manager. The 1Password CLI utility is a convenient way to read sensitive data out of a password vault. The approach taken here is similar to what other password tools may require.
The syntax for accessing values out of a 1Password item is this:
op://<vault-name>/<item-name>/[section-name/]<field-name>
Assuming you have the op
command installed, you can execute it and other system commands in your .env
files by using the $()
syntax (available since version 1.0.0 of Dotenvy
). For example:
DB_PASSWORD=$(op read op://MyVault/FooDatabase/password);
API_KEY=$(op read op://MyVault/ImportantAPI/key);
Executing Shell commands prior to version 1.0.0
If you need this functionality in versions of Dotenvy
prior to version 1.0.0, you must do a bit more footwork and rely on System.shell/2
. Use this with caution!
If you're unable to upgrade to version 1.0.0 or the shell commands you are attempting to run are not somehow not supported by the Dotenvy.Parser
, please file a bug! And then try the following.
Create a shell script that exports the necessary ENV vars, e.g. secrets.sh
:
#!/bin/bash
export DB_PASSWORD=$(op read op://MyVault/FooDatabase/password);
export API_KEY=$(op read op://MyVault/ImportantAPI/key);
Next, we need to execute this file AND return all the values! We do this by using &&
in our shell command, e.g.
System.shell(~s'bash -c "source secrets.sh && env"')
When it's all put together in your config/runtime.exs
it should look something like this:
# config/runtime.exs
import Config
import Dotenvy
env_dir_prefix = System.get_env("RELEASE_ROOT") || Path.expand("./envs/")
{raw_envs, _} = System.shell(~s'bash -c "source #{Path.absname("secrets.sh", env_dir_prefix)} && env"')
{:ok, system_env_vars} = Dotenvy.Parser.parse(raw_envs)
source!([
Path.absname(".env", env_dir_prefix),
Path.absname(".#{config_env()}.env", env_dir_prefix),
Path.absname(".#{config_env()}.overrides.env", env_dir_prefix),
system_env_vars
])
See Also
You may need to make some adjustments to your security settings your your command line utility doesn't prompt you for authorization each time you run it: