This recipe has become a recent standard in my
dumpenv: op inject --input env.example \ --output .env
env.example referred to looks like this:
DJANGO_DEBUG=True DJANGO_SECRET_KEY=op://dev/lawsql/credential CURATED_TOKEN=op://dev/lawsql/curated/token LAWDATA_URL=op://dev/lawsql/lawdata/url
The secrets are obviously absent from the file. But they contain references to the actual secret.
They're stored in a 1Password vault within my local machine. The
op inject command grabs a copy of these secrets and "injects" them into the output .env.
It would be nice to not dump these into the file and, just use the reference as is, but this takes too much time in practice. For instance, I could use the
op run invocation:
# Sample use in Django op run --env-file="./env.example" \ -- python manage.py runserver
But there would be some annoying seconds of delay. The seconds add up.
I can see myself using a variant of secrets management for more involved projects but for smaller ones, I like the simple ability to dump from a central and local store. The definitive benefit to me is being able to collect all secrets for a given project and organize them securely, e.g. "all project X secrets go here". I'd rather not rely on a text file. Or worse, a shareable file like Google Docs. So it's a matter of taking a few minutes to create a 1Password item and creating sections for grouped data.