Environment file processor with extensible secret providers
Project description
use-env
use-env > use_env > providers > tests > .github > docs > examples
Summary
Environment file processor with extensible secret providers.
use-env is a CLI tool for developers that processes environment files with secret references and resolves them from various providers (vault, environment variables, files, etc.).
Features
- Extensible Provider System: Add custom providers for any secret source
- Built-in Providers: Support for environment variables and files (no external dependencies)
- Optional Cloud Providers: Azure, AWS, GCP, HashiCorp Vault, 1Password (install only what you need)
- Configuration: YAML-based configuration for custom providers
- Type Safety: Written in Python with full type annotations
- Test Coverage: Comprehensive test suite
Installation
# Core package only (env and file providers)
pip install env-use
# Or using uv
uv pip install env-use
Optional Cloud Providers
Install only the providers you need:
# Azure Key Vault (Python SDK)
pip install env-use[azure]
# AWS Secrets Manager
pip install env-use[aws]
# Google Cloud Secret Manager
pip install env-use[gcp]
# HashiCorp Vault
pip install env-use[vault]
# 1Password Connect
pip install env-use[1password]
# All cloud providers
pip install env-use[all]
Quick Start
Basic Usage
# Process .env.dev and output .env
use-env .env.dev
# Specify output file
use-env .env.prod -o .env.production
# List available providers
use-env --list-providers
Environment File Example
Create a .env.dev file:
# Regular values
DATABASE_HOST=localhost
DATABASE_PORT=5432
# Environment variable reference
API_KEY=${env:MY_API_KEY}
# File-based secret (Docker secrets, etc.)
DB_PASSWORD=${file:/run/secrets/db_password}
# Azure Key Vault (requires env-use[azure])
# Format: ${azure-keyvault:<vault_name>/<secret_name>}
SECRET_KEY=${azure-keyvault:my-keyvault/db-password}
# AWS Secrets Manager (requires env-use[aws])
# Format: ${aws-secrets:<region>/<secret_name>}
DB_PASSWORD=${aws-secrets:us-east-1/my-app/database}
# GCP Secret Manager (requires env-use[gcp])
# Format: ${gcp-secrets:<project_id>/<secret_name>}
API_KEY=${gcp-secrets:my-project/api-key}
# HashiCorp Vault (requires env-use[vault])
# Format: ${vault:<mount_point>/<path>}
DB_PASSWORD=${vault:secret/my-app/database}
# 1Password (requires env-use[1password])
# Format: ${1password:<vault_id>/<item_id>/<field>}
API_KEY=${1password:vault-id/item-id/api-key}
Run the tool:
use-env .env.dev
This will create a .env file with all references resolved.
Piping Support
The tool supports piping for flexible workflows:
# Pipe input from stdin, output to stdout
cat .env.dev | use-env
# Pipe input, save output to file
cat .env.dev | use-env > .env
# Pipe output to another command
use-env .env.prod | grep DB_HOST
# Chain with other tools
cat .env.staging | use-env | jq '.DATABASE_'
When input comes from stdin, output automatically goes to stdout. This enables standard Unix workflows.
Core Providers (No Extra Dependencies)
Environment Provider (env)
Reference environment variables:
API_KEY=${env:API_KEY}
File Provider (file)
Read secrets from files:
# Absolute path
DB_PASSWORD=${file:/run/secrets/db_password}
# Relative path (relative to config or current directory)
API_KEY=${file:./secrets/api_key.txt}
Optional Cloud Providers
Azure Key Vault (azure-keyvault)
Requires: pip install env-use[azure]
# Format: ${azure-keyvault:<vault_name>/<secret_name>}
DB_PASSWORD=${azure-keyvault:my-keyvault/db-password}
Configuration (in .use-env.yaml):
providers:
- name: azure
type: azure-keyvault
enabled: true
config:
tenant_id: "your-tenant-id" # Optional, uses default credential
client_id: "your-client-id" # Optional
client_secret: "your-secret" # Optional
AWS Secrets Manager (aws-secrets)
Requires: pip install env-use[aws]
# Format: ${aws-secrets:<region>/<secret_name>}
DB_PASSWORD=${aws-secrets:us-east-1/my-app/database}
Configuration:
providers:
- name: aws
type: aws-secrets
enabled: true
config:
region: "us-east-1" # Optional, uses default session
profile: "my-aws-profile" # Optional
GCP Secret Manager (gcp-secrets)
Requires: pip install env-use[gcp]
# Format: ${gcp-secrets:<project_id>/<secret_name>}
API_KEY=${gcp-secrets:my-project/api-key}
Configuration:
providers:
- name: gcp
type: gcp-secrets
enabled: true
config:
project_id: "my-gcp-project" # Optional, uses default
HashiCorp Vault (vault)
Requires: pip install env-use[vault]
# Format: ${vault:<mount_point>/<path>}
DB_PASSWORD=${vault:secret/my-app/database}
DB_HOST=${vault:secret/my-app/host} # Returns specific field if secret is JSON
Configuration:
providers:
- name: vault
type: vault
enabled: true
config:
url: "http://127.0.0.1:8200" # Optional, uses VAULT_ADDR env var
token: "your-vault-token" # Optional, uses VAULT_TOKEN env var
namespace: "your-namespace" # Optional, for Enterprise Vault
mount_point: "secret" # Optional, default mount point
1Password Connect (1password)
Requires: pip install env-use[1password]
# Format: ${1password:<vault_id>/<item_id>/<field>}
API_KEY=${1password:vault-uuid/item-uuid/api-key}
Configuration:
providers:
- name: onepassword
type: 1password
enabled: true
config:
connect_url: "http://localhost:8080" # Optional, uses OP_CONNECT_HOST
connect_token: "your-token" # Optional, uses OP_CONNECT_TOKEN
Configuration
Create a .use-env.yaml file to configure providers:
providers:
- name: azure
type: azure-keyvault
enabled: true
config:
tenant_id: "your-tenant-id"
- name: aws
type: aws-secrets
enabled: true
config:
region: "us-east-1"
options:
strict: true
verbose: 1
Adding Custom Providers
See Provider Development Guide for detailed instructions.
Documentation
- Architecture - Internal design and components
- Provider Development - Guide for creating custom providers
- Usage Guide - Detailed usage instructions
Testing
# Run all tests
pytest
# Run with coverage
pytest --cov=use_env
# Run specific test file
pytest tests/test_providers.py
CI/CD
This project uses GitHub Actions for continuous integration and deployment:
Pull Requests
- Runs on Python 3.12 and 3.13
- Ruff linting and formatting checks
- MyPy type checking
- Pytest with coverage
- Coverage uploaded to Codecov
Releases
- Automatically versions using python-semantic-release
- Maintains a release PR branch from
main/master - Pushes a new version tag when a release PR is merged
- Publishes to PyPI and creates a GitHub Release on version tags
Commit Convention
This project uses Conventional Commits:
feat: add new provider
fix: resolve caching issue
docs: update documentation
See CONTRIBUTING.md for detailed guidelines.
License
MIT License - see LICENSE file for details.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file env_use-1.0.0.tar.gz.
File metadata
- Download URL: env_use-1.0.0.tar.gz
- Upload date:
- Size: 148.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
10dac941828172871834c797fbab39376d3f54626c5248515f1db2cedb8963cc
|
|
| MD5 |
295d84aea6fecd93cc37b8dc4ee50e1f
|
|
| BLAKE2b-256 |
9dcfc8094e316f9cec5904b8ea4f3811c8aaa562031912a59f44e4e4b71876a2
|
File details
Details for the file env_use-1.0.0-py3-none-any.whl.
File metadata
- Download URL: env_use-1.0.0-py3-none-any.whl
- Upload date:
- Size: 27.4 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
1eb72ac9f6b2fc441900a268656b82201e1847c1f24d532117a41af9c5cb8618
|
|
| MD5 |
d5d9cc876d0bdece13bd0640a4c08523
|
|
| BLAKE2b-256 |
eac23b15fd8f1c0a5f225f9b68d163e385ab1f71eca95e4cc1e18a82bb573008
|