The death of the .env file

<p>Six months ago, I advocated for everyone to stop using .env files in favor of approaches using secret management platforms. Since then, I&rsquo;ve learned and experienced much more about how to manage environment variables effectively. In this article, I argue again for why we should reduce the practice of storing all environment variables in a&nbsp;<code>.env</code>&nbsp;file and move to a more sophisticated approach for managing them in local development.</p> <p>Before you roast me, I want to make clear that&nbsp;<strong>my position is not that you have to ditch the .env file entirely</strong>. I&rsquo;m asserting that&nbsp;<strong>your application&rsquo;s environment variables should not be stored directly in a .env file</strong>. This doesn&rsquo;t mean, however, that you can&rsquo;t store a token in it that pulls in the rest of your environment variables at runtime.</p> <p>I also, by the way, want to make clear that this article is intended for&nbsp;<strong>software development teams</strong>&nbsp;and not security and devops teams that already have this figured out; this article is also not intended for solo developers who can feel free to use&nbsp;<code>.env</code>&nbsp;files.</p> <h1>Don&rsquo;t fix what&rsquo;s not broken</h1> <p>In the beginning, developers hardcoded environment variables into their codebase. After realizing that hardcoding them into source control was suboptimal, we introduced&nbsp;<code>.env</code>&nbsp;files for separation of concerns that is to split sensitive data from the rest of code.</p> <p>In practice, we&rsquo;d create a&nbsp;<code>.env</code>&nbsp;file, add environment variables to it, and&nbsp;<code>.gitignore</code>&nbsp;the file. We&rsquo;d start up our applications and read the environment variables into them in local development. Unfortunately, we still teach developers this as a staple of software development and proponents tend to say &ldquo;don&rsquo;t fix what&rsquo;s not broken.&rdquo;</p> <p>If you&rsquo;re one of these stubborn&nbsp;proponents, then stop reading; if you&rsquo;re open to improvement and breaking tradition, go on.</p> <p><a href="https://medium.com/@tony.infisical/the-death-of-the-env-file-6d65bfc6ac5e">Website</a></p>
Tags: .env Code