How to Use Dotenv and Why You Need It in All Your Projects
Enhance the security and portability of your code with proper environment variable management.
Whether you’re new to development or a seasoned veteran, one of the first libraries you may want to install in a new project is dotenv or one of its alternatives. As a developer, one of the biggest concerns is the possibility of leaking your secret key, which could result in significant financial implications.
During one of my past projects, I accidentally exposed my email service API key to my public repository. Fortunately, my service provider regularly scans public repositories as part of security measures, and no one had discovered the leak before they did. After receiving their notification, I panicked and immediately deleted the public repository, as well as revoked the API key. 🚒
However, the potential consequences are significant. For instance, what if someone used my API key to send out millions of spam emails. It could have been devastating for me.😱
As a Node.js developer, Dotenv has been my go-to solution for managing environment variables in all of my projects since.
What is Dotenv?
Dotenv is a popular module for managing environment variables that loads configuration from a .env file into process.env. While Dotenv is a common choice, there are also many alternatives, and the specific solution you choose may depend on your project language and requirements. Some popular alternatives include python-dotenv, dotenv-safe, env-cmd, and config.
Regardless of the tool you choose, the goal is often the same: to separate sensitive configuration information from your code and store it securely in the environment.
Using Dotenv
Despite the importance of including Dotenv in your project, it’s surprisingly easy to use. Let me walk you through the process.
Install
To get started, you’ll need to install the npm package.
npm install dotenvIf you use git in your project, make sure the .gitignore file includes .env. If it doesn’t, add it to prevent the .env file from being pushed to your repository when you commit changes.
Usage
Create a file named .env in the root directory of your project and add the environment variables that you want to be hidden. For example:
// .env
OPENAI_KEY_OLIVIA="sk-iy99bVupKpNOIly0XXXXXXXXXXXXXX"
UNSPLASH_KEY="PSC--NZmXcZNv41r0pDTOk3rF8XXXXXXXXXXXX"Then, you can access them in your code by importing the Dotenv module.
// import and configure dotenv
import dotenv from 'dotenv';
dotenv.config();
// access dotenv
const openai = new OpenAI(process.env.OPENAI_KEY_OLIVIA);
const unsplash = new Unsplash(process.env.UNSPLASH_KEY);And there you have it! You now have a way to access your environment variables quickly and securely, without the need to manually type them in every time.
Further use case
Once you have set up your .env and added it to your .gitignore, you can now safely commit code base to Github or other CD/CI management solutions.
One typical use case is when using continuous deployment (CD) to deploy your Node.js application to AWS Elastic Beanstalk through AWS CodePipeline.
During a standard deployment process using AWS CodePipeline, your codebase is typically transferred from your local machine to GitHub, and then from GitHub to AWS Elastic Beanstalk each time you make a commit. By implementing Dotenv in your codebase, you can make sure that your environment variables are not transferred with your codebase.
This allows you to keep your development environment variables only in local for development and testing, while the production environment variables are configured only on Elastic Beanstalk. This ensures your application is running with the appropriate configuration in each environment, while also keeping them secure.
Wrap Up
I hope you have learned from my past mistake and understand that properly managing your environment variables is a good practice, regardless of the size of your project. In addition, using a tool like Dotenv can make the process really easy and efficient.
Resources
- Dotenv Github repository
- AWS CodePipeline Documentation
Thank you for reading! If you’ve enjoyed the tutorials and stories I’ve shared and would like to support my writing, please consider signing up to become a Medium member using my referral link.
More content at PlainEnglish.io.
Sign up for our free weekly newsletter. Follow us on Twitter, LinkedIn, YouTube, and Discord.
Build awareness and adoption for your tech startup with Circuit.
