Environment Variables Guide: Dotenv, Secrets & Deployment

Master environment variables in development with this complete guide covering dotenv files, secrets management, and secure deployment strategies.

Author:

Published:

Category: DevOps

Reading Time: 14

How to Use Environment Variables in Development: A Complete Guide to Dotenv Files, Secrets Management, and Deployment

Environment variables are fundamental building blocks in modern software development, providing a secure and flexible way to configure applications across different environments. This comprehensive guide explores everything you need to know about using environment variables effectively, from basic dotenv file implementation to advanced secrets management and deployment strategies.

What Are Environment Variables?

Environment variables are dynamic values that exist outside your application code and can affect how running processes behave on a computer system. In software development, they serve as a crucial mechanism for configuring applications without hardcoding sensitive information or environment-specific settings directly into your source code.

These variables follow the principle of separation of concerns, allowing developers to maintain different configurations for development, testing, staging, and production environments while keeping the same codebase. This approach enhances security, maintainability, and deployment flexibility.

Why Environment Variables Matter

The importance of environment variables in modern development cannot be overstated. They provide several critical benefits:

Security Enhancement: By storing sensitive information like API keys, database passwords, and authentication tokens in environment variables instead of source code, you prevent accidental exposure through version control systems or code sharing.

Configuration Flexibility: Different environments require different configurations. Environment variables allow you to maintain a single codebase while adapting behavior based on the deployment context.

Compliance and Best Practices: Many security frameworks and compliance standards require the separation of configuration from code, making environment variables essential for enterprise applications.

Team Collaboration: Environment variables enable team members to work with their own local configurations without conflicts or the need to modify shared code.

Understanding Dotenv Files

Dotenv files, typically named .env, are plain text files that store environment variables in a simple key-value format. They bridge the gap between the convenience of configuration files and the security of environment variables.

The Anatomy of a Dotenv File

A typical .env file follows a straightforward structure:

`

Database Configuration

DATABASE_URL=postgresql://username:password@localhost:5432/myapp_development DATABASE_HOST=localhost DATABASE_PORT=5432 DATABASE_NAME=myapp_development

API Keys

STRIPE_API_KEY=sk_test_abcd1234567890 SENDGRID_API_KEY=SG.xyz789.abc123

Application Settings

NODE_ENV=development PORT=3000 DEBUG=true

Third-party Services

REDIS_URL=redis://localhost:6379 JWT_SECRET=your-super-secret-jwt-key `

Each line represents a single environment variable, with the format VARIABLE_NAME=value. Comments can be added using the # symbol, and blank lines are ignored.

Dotenv File Naming Conventions

Different environments often require different configuration files. Common naming patterns include:

- .env - Default environment file - .env.local - Local overrides (usually gitignored) - .env.development - Development-specific variables - .env.staging - Staging environment configuration - .env.production - Production environment settings - .env.test - Testing environment variables

Many dotenv libraries support loading multiple files with a precedence order, allowing for flexible configuration hierarchies.

Best Practices for Dotenv Files

Variable Naming: Use uppercase letters with underscores for separation (e.g., DATABASE_URL, API_KEY). This follows Unix convention and improves readability.

No Spaces: Avoid spaces around the equals sign and within variable names. Use VAR=value instead of VAR = value.

Quoting Values: Generally, quotes aren't necessary unless the value contains special characters or spaces. When needed, use double quotes.

Documentation: Include comments to explain the purpose of variables, especially for complex configurations or when the variable name isn't self-explanatory.

Grouping: Organize related variables together with comments to create logical sections within your .env file.

Implementing Dotenv in Different Programming Languages

Node.js Implementation

Node.js developers typically use the dotenv package, which is the most popular solution for loading environment variables from .env files.

Installation and Basic Setup:

`bash npm install dotenv `

Loading Environment Variables:

`javascript // Load dotenv at the very beginning of your application require('dotenv').config();

// Or using ES6 imports import 'dotenv/config';

// Accessing environment variables const databaseUrl = process.env.DATABASE_URL; const port = process.env.PORT || 3000; const isProduction = process.env.NODE_ENV === 'production';

// Using environment variables in configuration const dbConfig = { host: process.env.DATABASE_HOST, port: parseInt(process.env.DATABASE_PORT), database: process.env.DATABASE_NAME, username: process.env.DATABASE_USER, password: process.env.DATABASE_PASSWORD }; `

Advanced Configuration Options:

`javascript require('dotenv').config({ path: '.env.local', // Custom file path debug: process.env.DEBUG, // Enable debug output override: false // Don't override existing env vars });

// Loading multiple environment files require('dotenv').config({ path: '.env' }); require('dotenv').config({ path: '.env.local' }); `

Python Implementation

Python developers can use the python-dotenv package for similar functionality.

Installation:

`bash pip install python-dotenv `

Implementation:

`python from dotenv import load_dotenv import os

Load environment variables

load_dotenv()

Access variables

database_url = os.getenv('DATABASE_URL') api_key = os.getenv('API_KEY') port = int(os.getenv('PORT', 5000)) # Default value

Using in Django settings.py

import os from dotenv import load_dotenv

load_dotenv()

SECRET_KEY = os.getenv('DJANGO_SECRET_KEY') DEBUG = os.getenv('DEBUG', 'False').lower() == 'true' ALLOWED_HOSTS = os.getenv('ALLOWED_HOSTS', '').split(',')

DATABASES = { 'default': { 'ENGINE': 'django.db.backends.postgresql', 'NAME': os.getenv('DATABASE_NAME'), 'USER': os.getenv('DATABASE_USER'), 'PASSWORD': os.getenv('DATABASE_PASSWORD'), 'HOST': os.getenv('DATABASE_HOST', 'localhost'), 'PORT': os.getenv('DATABASE_PORT', '5432'), } } `

Ruby Implementation

Ruby applications often use the dotenv gem for environment variable management.

Installation:

`ruby

Gemfile

gem 'dotenv-rails', groups: [:development, :test] `

Usage:

`ruby

Load dotenv (automatic in Rails applications)

require 'dotenv/load'

Access environment variables

database_url = ENV['DATABASE_URL'] api_key = ENV['API_KEY'] port = ENV.fetch('PORT', 3000).to_i

Rails configuration

Rails.application.configure do config.database_url = ENV['DATABASE_URL'] config.secret_key_base = ENV['SECRET_KEY_BASE'] config.action_mailer.smtp_settings = { address: ENV['SMTP_HOST'], port: ENV['SMTP_PORT'], user_name: ENV['SMTP_USERNAME'], password: ENV['SMTP_PASSWORD'] } end `

Advanced Environment Variable Patterns

Hierarchical Configuration

Complex applications often require hierarchical configuration systems that combine multiple sources:

`javascript // config/index.js const config = { // Default values port: 3000, database: { host: 'localhost', port: 5432 }, // Override with environment variables ...process.env.PORT && { port: parseInt(process.env.PORT) }, ...process.env.DATABASE_HOST && { database: { ...config.database, host: process.env.DATABASE_HOST } } };

export default config; `

Type Conversion and Validation

Environment variables are always strings, so proper type conversion and validation are crucial:

`javascript // utils/env.js export function getEnvVar(name, defaultValue, type = 'string') { const value = process.env[name]; if (value === undefined) { if (defaultValue !== undefined) return defaultValue; throw new Error(Required environment variable ${name} is not set); } switch (type) { case 'number': const num = parseInt(value); if (isNaN(num)) throw new Error(${name} must be a number); return num; case 'boolean': return value.toLowerCase() === 'true'; case 'array': return value.split(',').map(item => item.trim()); default: return value; } }

// Usage const port = getEnvVar('PORT', 3000, 'number'); const debug = getEnvVar('DEBUG', false, 'boolean'); const allowedHosts = getEnvVar('ALLOWED_HOSTS', [], 'array'); `

Secrets Management: Beyond Basic Environment Variables

While dotenv files work well for development, production environments require more sophisticated secrets management approaches. Hardcoded secrets in .env files pose security risks and don't scale well for enterprise applications.

Understanding Secrets vs Configuration

Not all environment variables are created equal. It's important to distinguish between:

Configuration Variables: Non-sensitive settings like port numbers, feature flags, or public API endpoints that can be stored in plain text.

Secrets: Sensitive information like passwords, API keys, certificates, and tokens that require special handling and encryption.

Cloud-Based Secrets Management

#### AWS Secrets Manager

AWS Secrets Manager provides enterprise-grade secrets management with automatic rotation and fine-grained access control:

`javascript // AWS Secrets Manager integration const AWS = require('aws-sdk'); const secretsManager = new AWS.SecretsManager({ region: process.env.AWS_REGION });

async function getSecret(secretName) { try { const result = await secretsManager.getSecretValue({ SecretId: secretName }).promise(); return JSON.parse(result.SecretString); } catch (error) { console.error('Error retrieving secret:', error); throw error; } }

// Usage async function initializeDatabase() { const dbCredentials = await getSecret('prod/database/credentials'); const dbConfig = { host: dbCredentials.host, username: dbCredentials.username, password: dbCredentials.password, database: dbCredentials.database }; return createConnection(dbConfig); } `

#### Azure Key Vault

Azure Key Vault offers similar functionality for Azure-based applications:

`javascript const { SecretClient } = require('@azure/keyvault-secrets'); const { DefaultAzureCredential } = require('@azure/identity');

const credential = new DefaultAzureCredential(); const vaultUrl = https://${process.env.KEY_VAULT_NAME}.vault.azure.net; const client = new SecretClient(vaultUrl, credential);

async function getSecret(secretName) { try { const secret = await client.getSecret(secretName); return secret.value; } catch (error) { console.error('Error retrieving secret from Key Vault:', error); throw error; } } `

#### Google Cloud Secret Manager

Google Cloud provides Secret Manager for GCP applications:

`javascript const { SecretManagerServiceClient } = require('@google-cloud/secret-manager'); const client = new SecretManagerServiceClient();

async function getSecret(secretName) { const projectId = process.env.GOOGLE_CLOUD_PROJECT; const name = projects/${projectId}/secrets/${secretName}/versions/latest; try { const [version] = await client.accessSecretVersion({ name }); return version.payload.data.toString(); } catch (error) { console.error('Error accessing secret:', error); throw error; } } `

HashiCorp Vault Integration

HashiCorp Vault is a popular open-source solution for secrets management:

`javascript const vault = require('node-vault')({ apiVersion: 'v1', endpoint: process.env.VAULT_ENDPOINT, token: process.env.VAULT_TOKEN });

async function getSecret(path) { try { const result = await vault.read(path); return result.data; } catch (error) { console.error('Error reading from Vault:', error); throw error; } }

// Usage with dynamic secrets async function getDatabaseCredentials() { const creds = await getSecret('database/creds/myapp-role'); return { username: creds.username, password: creds.password, lease_duration: creds.lease_duration }; } `

Kubernetes Secrets

For containerized applications running on Kubernetes, native Secrets provide a secure way to manage sensitive data:

`yaml

secret.yaml

apiVersion: v1 kind: Secret metadata: name: app-secrets type: Opaque data: database-password: api-key: `

`yaml

deployment.yaml

apiVersion: apps/v1 kind: Deployment metadata: name: myapp spec: template: spec: containers: - name: myapp image: myapp:latest env: - name: DATABASE_PASSWORD valueFrom: secretKeyRef: name: app-secrets key: database-password - name: API_KEY valueFrom: secretKeyRef: name: app-secrets key: api-key `

Deployment Strategies and Environment Management

Deploying applications with environment variables requires careful planning and execution across different platforms and environments.

Container-Based Deployments

#### Docker Environment Variables

Docker provides several methods for passing environment variables to containers:

Dockerfile ENV Instructions:

`dockerfile FROM node:16-alpine

Set default environment variables

ENV NODE_ENV=production ENV PORT=3000

Copy application files

COPY . /app WORKDIR /app

Install dependencies

RUN npm ci --only=production

EXPOSE $PORT CMD ["npm", "start"] `

Docker Compose Configuration:

`yaml version: '3.8' services: web: build: . environment: - NODE_ENV=development - DATABASE_URL=postgresql://user:pass@db:5432/myapp - REDIS_URL=redis://redis:6379 env_file: - .env - .env.local ports: - "3000:3000" depends_on: - db - redis db: image: postgres:13 environment: - POSTGRES_DB=myapp - POSTGRES_USER=user - POSTGRES_PASSWORD=pass volumes: - postgres_data:/var/lib/postgresql/data redis: image: redis:6-alpine ports: - "6379:6379"

volumes: postgres_data: `

Runtime Environment Variables:

`bash

Using docker run

docker run -e NODE_ENV=production -e PORT=8080 myapp:latest

Using environment file

docker run --env-file .env.production myapp:latest

Using Docker Compose with different environments

docker-compose --env-file .env.staging up `

Cloud Platform Deployments

#### Heroku Configuration

Heroku provides a straightforward approach to environment variable management through config vars:

`bash

Setting config vars via CLI

heroku config:set NODE_ENV=production heroku config:set DATABASE_URL=postgresql://... heroku config:set REDIS_URL=redis://...

Viewing current config vars

heroku config

Setting multiple vars from file

heroku config:set $(cat .env.production | sed 's/^/-e /') `

Heroku Pipeline Configuration:

`javascript // Different configurations for pipeline stages const config = { development: { database: process.env.DATABASE_URL || 'postgresql://localhost/myapp_dev', redis: process.env.REDIS_URL || 'redis://localhost:6379' }, staging: { database: process.env.DATABASE_URL, redis: process.env.REDIS_URL, logLevel: 'debug' }, production: { database: process.env.DATABASE_URL, redis: process.env.REDIS_URL, logLevel: 'info', enableMetrics: true } };

module.exports = config[process.env.NODE_ENV || 'development']; `

#### AWS Elastic Beanstalk

Elastic Beanstalk allows environment variable configuration through the console or configuration files:

`yaml

.ebextensions/environment.config

option_settings: aws:elasticbeanstalk:application:environment: NODE_ENV: production LOG_LEVEL: info ENABLE_HTTPS: true `

#### Vercel Deployment

Vercel provides environment variable management through their dashboard and CLI:

`bash

Using Vercel CLI

vercel env add NODE_ENV vercel env add DATABASE_URL vercel env add API_KEY

Different environments

vercel env add FEATURE_FLAG production vercel env add DEBUG_MODE development `

vercel.json Configuration:

`json { "env": { "NODE_ENV": "production", "CUSTOM_KEY": "value" }, "build": { "env": { "BUILD_ENV": "production" } } } `

CI/CD Pipeline Integration

#### GitHub Actions

`yaml name: Deploy Application on: push: branches: [main]

jobs: deploy: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 - name: Setup Node.js uses: actions/setup-node@v2 with: node-version: '16' - name: Install dependencies run: npm ci - name: Run tests env: NODE_ENV: test DATABASE_URL: $# API_KEY: $# run: npm test - name: Deploy to production env: NODE_ENV: production DATABASE_URL: $# API_KEY: $# DEPLOY_KEY: $# run: | npm run build npm run deploy `

#### GitLab CI

`yaml stages: - test - deploy

variables: NODE_ENV: production

test: stage: test script: - npm ci - npm test variables: NODE_ENV: test DATABASE_URL: $TEST_DATABASE_URL

deploy_production: stage: deploy script: - npm run build - npm run deploy environment: name: production url: https://myapp.com variables: DATABASE_URL: $PROD_DATABASE_URL API_KEY: $PROD_API_KEY only: - main `

Security Best Practices and Common Pitfalls

Security Best Practices

Never Commit Secrets: Always add .env files containing secrets to your .gitignore file. Use .env.example files with dummy values to document required variables.

Principle of Least Privilege: Grant applications access only to the environment variables they actually need. Use role-based access control for secrets management systems.

Regular Rotation: Implement regular rotation schedules for sensitive credentials, especially for production environments.

Encryption at Rest and in Transit: Ensure that secrets are encrypted both when stored and when transmitted between systems.

Audit and Monitoring: Implement logging and monitoring for access to sensitive environment variables and secrets.

Common Pitfalls to Avoid

Logging Sensitive Variables: Be careful not to log environment variables that contain sensitive information. Implement filtering in your logging systems.

`javascript // Bad: This might log sensitive information console.log('Environment:', process.env);

// Good: Log only non-sensitive configuration const safeConfig = { nodeEnv: process.env.NODE_ENV, port: process.env.PORT, logLevel: process.env.LOG_LEVEL }; console.log('Configuration:', safeConfig); `

Client-Side Exposure: Never expose server-side environment variables to client-side code. Use separate configuration for frontend applications.

Insufficient Validation: Always validate and sanitize environment variables before use, especially when they affect security-critical functionality.

`javascript function validateConfig() { const requiredVars = ['DATABASE_URL', 'JWT_SECRET', 'API_KEY']; const missing = requiredVars.filter(name => !process.env[name]); if (missing.length > 0) { throw new Error(Missing required environment variables: ${missing.join(', ')}); } // Validate formats if (!process.env.DATABASE_URL.startsWith('postgresql://')) { throw new Error('DATABASE_URL must be a valid PostgreSQL connection string'); } if (process.env.JWT_SECRET.length < 32) { throw new Error('JWT_SECRET must be at least 32 characters long'); } } `

Monitoring and Debugging Environment Variables

Effective monitoring and debugging of environment variable configurations are crucial for maintaining reliable applications.

Environment Variable Debugging Tools

Environment Inspection Scripts:

`javascript // debug/env-check.js function checkEnvironment() { const requiredVars = [ 'NODE_ENV', 'DATABASE_URL', 'REDIS_URL', 'JWT_SECRET' ]; console.log('=== Environment Variable Check ==='); requiredVars.forEach(varName => { const value = process.env[varName]; const status = value ? '✓' : '✗'; const displayValue = varName.includes('SECRET') || varName.includes('PASSWORD') ? 'HIDDEN' : value; console.log(${status} ${varName}: ${displayValue || 'NOT SET'}); }); console.log('\n=== Optional Variables ==='); const optionalVars = ['DEBUG', 'LOG_LEVEL', 'FEATURE_FLAGS']; optionalVars.forEach(varName => { const value = process.env[varName]; if (value) { console.log( ${varName}: ${value}); } }); }

// Run check checkEnvironment(); `

Health Check Endpoints:

`javascript // routes/health.js app.get('/health', (req, res) => { const health = { status: 'ok', timestamp: new Date().toISOString(), environment: process.env.NODE_ENV, version: process.env.APP_VERSION || 'unknown', checks: { database: checkDatabaseConnection(), redis: checkRedisConnection(), externalApi: checkExternalApiConnection() } }; const allChecksPass = Object.values(health.checks).every(check => check.status === 'ok'); const statusCode = allChecksPass ? 200 : 503; res.status(statusCode).json(health); }); `

Conclusion

Environment variables are an essential component of modern application development, providing the foundation for secure, flexible, and maintainable software systems. From simple dotenv files in development to sophisticated secrets management in production, understanding how to properly implement and manage environment variables is crucial for any developer.

The key to success lies in adopting the right approach for each environment and use case. Development environments benefit from the simplicity of dotenv files, while production systems require robust secrets management solutions with encryption, access control, and audit capabilities.

As applications grow in complexity and security requirements become more stringent, investing in proper environment variable and secrets management pays dividends in terms of security, reliability, and operational efficiency. By following the best practices outlined in this guide and staying current with evolving tools and techniques, developers can build applications that are both secure and maintainable across their entire lifecycle.

Remember that environment variable management is not a one-time setup task but an ongoing responsibility that requires regular review, updates, and improvements as your application and infrastructure evolve. Start with simple solutions and gradually adopt more sophisticated approaches as your needs grow and your understanding deepens.

Tags

  • Configuration
  • deployment
  • dotenv
  • environment-variables
  • secrets-management

Related Articles

Popular Technical Articles & Tutorials

Explore our comprehensive collection of technical articles, programming tutorials, and IT guides written by industry experts:

Browse all 8+ technical articles | Read our IT blog

Environment Variables Guide: Dotenv, Secrets &amp; Deployment