Your secrets.
One command.
Every environment.
A CLI tool and GitHub Action that securely centralizes your environment variables from AWS SSM, Azure Key Vault or GCP Secret Manager as a single source of truth. No more copy-pasting secrets.
$ npm install -g envilder
AWS SSM 
Azure Key Vault 
GitHub Actions 
npm Sponsors
The problem with .env files
Managing secrets manually doesn't scale. It's insecure, error-prone, and creates friction for your entire team.
Desync between environments
Dev, staging, and prod have different secrets. Deployments fail. Nobody knows which .env is correct.
Secrets shared via Slack/email
API keys sent in plain text over chat. No audit trail. No rotation. A security incident waiting to happen.
Slow onboarding & rotations
New team member joins? Copy-paste a .env from somebody's machine. Someone rotates? Hope everyone updates manually.
Cloud-native source of truth
All secrets live in AWS SSM or Azure Key Vault. IAM/RBAC controls who can read what. Every access is logged.
One command, always in sync
Run envilder and your .env is regenerated from the source of truth. Idempotent. Instant. No room for drift.
Automated in CI/CD
Use the GitHub Action to pull secrets at deploy time. No secrets stored in repos. No manual steps in pipelines.
Built for real teams
Everything you need to manage environment secrets securely and at scale.
Multi-Provider
AWS SSM, Azure Key Vault, and GCP Secret Manager (coming soon). Choose with --provider or $config in your map file.
Bidirectional Sync
Pull secrets to .env files or push .env values back to your cloud provider. Full round-trip support.
GitHub Action
Drop-in Action for your CI/CD workflows. Pull secrets at deploy time with zero manual intervention.
IAM & RBAC Access
Leverage native cloud access control. AWS IAM policies or Azure RBAC define who reads what, per environment.
Fully Auditable
Every read and write is logged in AWS CloudTrail or Azure Monitor. Complete trace of who accessed what and when.
Idempotent Sync
Only what's in your mapping gets updated. Nothing else is touched. Run it ten times — same result, zero side effects.
Zero Infrastructure
Built on native cloud services. No Lambdas, no servers, no extra infrastructure to manage or pay for.
AWS Profile Support
Multi-account setups? Use --profile to switch between AWS CLI profiles. Perfect for multi-stage environments.
Runtime SDKs
Coming soonLoad secrets directly into your app at startup — TypeScript, Python, Go, .NET, Java. No .env files, no intermediaries.
How it works
Define. Pull. Done.
Write a param-map.json
A JSON file mapping env var names to their SSM paths or Key Vault secret names. Commit it. Review it in PRs. Diff it between environments. It is the only config you need.
{
"DB_PASSWORD": "/my-app/prod/db-password",
"API_KEY": "/my-app/prod/api-key",
"SECRET_TOKEN": "/my-app/prod/secret-token"
}Run envilder
One command fetches every secret from your cloud vault and writes them to .env. No manual copying. No drift. Repeatable anywhere — locally, in CI, or on a new machine.
$ envilder --map=param-map.json --envfile=.env
✔ Fetched DB_PASSWORD → ···word
✔ Fetched API_KEY → ···key
✔ Fetched SECRET_TOKEN → ···oken
✔ Environment file written to .env.env written. Secrets stay in the vault.
A clean .env file, generated on demand from live vault data. Use it locally, pull at deploy time with the GitHub Action, or skip the file entirely with --exec.
DB_PASSWORD=my-super-secret-password
API_KEY=sk_live_abc123def456
SECRET_TOKEN=tok_prod_xyz789See it in action
Watch how Envilder simplifies secret management in under 2 minutes.
Your cloud. Your choice.
Envilder works with AWS SSM Parameter Store, Azure Key Vault, and GCP Secret Manager (coming soon). Configure inline or via CLI flags.
AWS SSM Parameter Store
{
"$config": {
"provider": "aws",
"profile": "prod-account"
},
"DB_PASSWORD": "/my-app/prod/db-password",
"API_KEY": "/my-app/prod/api-key"
} $ envilder --map=param-map.json --envfile=.env
- ✔ Supports GetParameter with WithDecryption
- ✔ AWS Profile support for multi-account
- ✔ IAM policy-based access control
- ✔ CloudTrail audit logging
Azure Key Vault
{
"$config": {
"provider": "azure",
"vaultUrl": "https://my-vault.vault.azure.net"
},
"DB_PASSWORD": "my-app-prod-db-password",
"API_KEY": "my-app-prod-api-key"
} $ envilder --provider=azure --vault-url=https://my-vault.vault.azure.net --map=param-map.json --envfile=.env
- ✔ Auto-normalizes secret names (slashes → hyphens)
- ✔ DefaultAzureCredential authentication
- ✔ Azure RBAC access control
- ✔ Azure Monitor audit logging
GCP Secret Manager
Coming soon{
"$config": {
"provider": "gcp",
"projectId": "my-project-id"
},
"DB_PASSWORD": "my-app-prod-db-password",
"API_KEY": "my-app-prod-api-key"
} $ envilder --provider=gcp --map=param-map.json --envfile=.env
- ✔ Google Cloud Secret Manager integration
- ✔ Application Default Credentials (ADC)
- ✔ IAM-based access control
- ✔ Cloud Audit Logs
GitHub Action
Pull secrets at deploy time. Drop it into any workflow in minutes.
☁️ AWS SSM
- name: 🪙 Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v6
with:
role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
aws-region: us-east-1
- name: 🔐 Pull Secrets from AWS SSM
uses: macalbert/envilder/github-action@v0
with:
map-file: param-map.json
env-file: .env🔑 Azure Key Vault
- name: 🔑 Azure Login
uses: azure/login@v2
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- name: 🔐 Pull Secrets from Azure Key Vault
uses: macalbert/envilder/github-action@v0
with:
map-file: param-map.json
env-file: .env
provider: azure
vault-url: ${{ secrets.AZURE_KEY_VAULT_URL }}Action inputs
| Input | Required | Description |
|---|---|---|
map-file | Yes | Path to JSON file mapping env vars to secret paths |
env-file | Yes | Path to .env file to generate |
provider | No | Cloud provider: aws or azure (default: aws) |
vault-url | No | Azure Key Vault URL |
Output: env-file-path — Path to the generated .env file
What's new
Latest release highlights. Documentation website is live.
Documentation & Stability
- Documentation website launched at envilder.com — full guides, changelog, and multi-language docs
- Fixed: @types/node moved to devDependencies — no runtime bloat in installs
- Fixed: e2e test flakiness — unique SSM paths per test run prevent race conditions
What's next
Envilder is actively developed. Here's where we're headed.
Pull secrets to .env
Map env var names to cloud secret paths via JSON and generate .env files automatically
Push mode (--push)
Upload .env values or single secrets to cloud provider
GitHub Action
Use Envilder in CI/CD workflows natively
Multi-provider (AWS + Azure)
AWS SSM Parameter Store and Azure Key Vault support
Documentation website
Dedicated docs site with guides, examples, API reference
TypeScript SDK (@envilder/sdk)
Up nextNative runtime library — load secrets directly into process.env from a map-file. Published to npm
Python SDK (envilder)
Up nextRuntime library for Django/FastAPI/data pipelines. Published to PyPI
Go SDK (envilder)
Up nextRuntime library for cloud-native apps and Kubernetes tooling. Published as Go module
.NET SDK (Envilder)
Up nextRuntime library for enterprise apps and Azure-native shops. Published to NuGet
Java SDK (envilder)
Up nextRuntime library for Spring Boot and Android backends. Published to Maven Central
Exec mode (--exec)
Inject secrets into child process without writing to disk
GCP Secret Manager
Third cloud provider — completes the multi-cloud trident
AWS Secrets Manager
Support JSON-structured secrets alongside SSM Parameter Store
Check/sync mode (--check)
Validate cloud secrets vs local .env — fail CI if out-of-sync
Get started
Up and running in under a minute.
Prerequisites
- Node.js v20+
- AWS CLI configured (for AWS SSM)
- Azure CLI configured (for Azure Key Vault)
- IAM permissions:
ssm:GetParameter/ssm:PutParameter
Install
Quick start
- Create a param-map.json mapping env vars to secret paths
- Run envilder --map=param-map.json --envfile=.env
- Your .env file is ready ✔