Standardize how
your apps consume
secrets.
Stop reinventing secret loading in every project. Define one environment contract and resolve it everywhere.
$ npm install -g envilder
AWS SSM 
Azure Key Vault 
GitHub Actions 
npm 
Why secret management is broken
Every team, every stage, every runtime handles secrets differently. No standard. No consistency. No confidence.
Fragmented across tools
Local dev uses .env files. CI/CD reads from vault integrations. Production has its own method. Same app, different configuration workflows everywhere.
Secrets shared through unsafe channels
API keys sent over Slack, .env files committed to repos, wiki pages with plain-text credentials. A security incident waiting to happen.
Configuration drift is inevitable
No single source of truth for what secrets an app needs. Dev, staging, and production desync. Deployments fail. Nobody knows which config is correct.
Why Envilder?
Envilder is a resolution layer over your existing secret manager. Secrets stay in your cloud. The JSON mapping is just the contract that keeps every environment consistent.
Zero Infrastructure
No servers, no proxies, no SaaS middleman. Built on AWS SSM and Azure Key Vault, services you already use and pay for.
One File, All Secrets
A single JSON contract defines every secret for every environment. Git-versioned, PR-reviewable, diff-able. Your team reviews secret changes in the same PR as the code.
Safe Secret Rotation
Rotate values in AWS SSM or Azure Key Vault. Every consumer (local, CI/CD, and runtime) resolves the new value automatically. No .env rewrites, no pipeline changes.
Multi-Cloud, No Lock-in
AWS SSM, Azure Key Vault, GCP Secret Manager (coming soon). Switch providers without changing your app code. Your cloud, your rules.
Also included
How it works
Define. Resolve. Ship.
Define the mapping model
A JSON file mapping env var names to cloud secret paths. Commit it. Review it in PRs. Diff it between environments. One model for every stage and runtime.
{
"DB_PASSWORD": "/my-app/prod/db-password",
"API_KEY": "/my-app/prod/api-key",
"SECRET_TOKEN": "/my-app/prod/secret-token"
}Resolve with the CLI
One command fetches every secret from your cloud vault and writes them to .env. Use it locally or in scripts. Same mapping, same behavior.
$ envilder --map=envilder.json --envfile=.env
✔ Fetched DB_PASSWORD → ···word
✔ Fetched API_KEY → ···key
✔ Fetched SECRET_TOKEN → ···oken
✔ Environment file written to .envLoad at runtime with SDKs
Skip the .env file entirely. Load secrets directly into your application at startup with native SDKs: Python, .NET, Node.js, and more.
pip install envilderfrom envilder import Envilder, SecretProviderType
# One-liner: load secrets into os.environ
Envilder.load("envilder.json")
# Or resolve as a dict without injecting
secrets = Envilder.resolve_file("envilder.json")
# Fluent builder with provider override
secrets = (
Envilder.from_map_file("envilder.json")
.with_provider(SecretProviderType.AZURE)
.with_vault_url("https://my-vault.vault.azure.net")
.inject()
)dotnet add package Envilderusing Envilder;
var builder = WebApplication.CreateBuilder(args);
// Load secrets into IConfiguration
builder.Configuration.AddEnvilder("envilder.json");
// Register EnvilderClient in DI
builder.Services.AddEnvilder("envilder.json");
// --- Or standalone (no ASP.NET) ---
// One-liner: resolve + inject into Environment
Env.Load("envilder.json");
// Fluent builder with provider override
Env.FromMapFile("envilder.json")
.WithProvider(SecretProviderType.Azure)
.WithVaultUrl("https://my-vault.vault.azure.net")
.Inject();npm install @envilder/sdkimport { Envilder, SecretProviderType } from '@envilder/sdk';
// One-liner: resolve + inject into process.env
await Envilder.load('envilder.json');
// Or resolve as a Map without injecting
const secrets = await Envilder.resolveFile('envilder.json');
// Fluent builder with provider override
const override = await Envilder.fromMapFile('envilder.json')
.withProvider(SecretProviderType.Azure)
.withVaultUrl('https://my-vault.vault.azure.net')
.inject();Push from dev to the vault
Need to add or rotate a secret? Push values from your local environment back to the cloud provider. No console needed.
$ envilder --push --envfile=.env --map=envilder.json
✔ Pushed DB_PASSWORD → /my-app/prod/db-password
✔ Pushed API_KEY → /my-app/prod/api-key
✔ Pushed SECRET_TOKEN → /my-app/prod/secret-tokenSecrets stay in your vault
No intermediaries. Your cloud manages the storage, rotation, and access control. Envilder resolves. It never stores.
See it in action
Watch how Envilder simplifies secret management in under 2 minutes.
Your cloud. Your choice.
Envilder works with AWS SSM Parameter Store, Azure Key Vault, and GCP Secret Manager (coming soon). Configure inline or via CLI flags.
AWS SSM Parameter Store
{
"$config": {
"provider": "aws",
"profile": "prod-account"
},
"DB_PASSWORD": "/my-app/prod/db-password",
"API_KEY": "/my-app/prod/api-key"
} $ envilder --map=envilder.json --envfile=.env
- ✔ Supports GetParameter with WithDecryption
- ✔ AWS Profile support for multi-account
- ✔ IAM policy-based access control
- ✔ CloudTrail audit logging
Azure Key Vault
{
"$config": {
"provider": "azure",
"vaultUrl": "https://my-vault.vault.azure.net"
},
"DB_PASSWORD": "my-app-prod-db-password",
"API_KEY": "my-app-prod-api-key"
} $ envilder --provider=azure --vault-url=https://my-vault.vault.azure.net --map=envilder.json --envfile=.env
- ✔ Auto-normalizes secret names (slashes → hyphens)
- ✔ DefaultAzureCredential authentication
- ✔ Azure RBAC access control
- ✔ Azure Monitor audit logging
GCP Secret Manager
Coming soon{
"$config": {
"provider": "gcp",
"projectId": "my-project-id"
},
"DB_PASSWORD": "my-app-prod-db-password",
"API_KEY": "my-app-prod-api-key"
} $ envilder --provider=gcp --map=envilder.json --envfile=.env
- ✔ Google Cloud Secret Manager integration
- ✔ Application Default Credentials (ADC)
- ✔ IAM-based access control
- ✔ Cloud Audit Logs