One model.
Your secrets.
Every runtime.
Define secret mappings once and resolve them consistently from AWS SSM, Azure Key Vault or GCP Secret Manager — locally with the CLI, in CI/CD with the GitHub Action, or at app startup with runtime SDKs.
$ npm install -g envilder
AWS SSM 
Azure Key Vault 
GitHub Actions 
npm Sponsors
Why secret management is broken
Every team, every stage, every runtime handles secrets differently. No standard. No consistency. No confidence.
Fragmented across tools
Local dev uses .env files. CI/CD reads from vault integrations. Production has its own method. Same app, different configuration workflows everywhere.
Secrets shared through unsafe channels
API keys sent over Slack, .env files committed to repos, wiki pages with plain-text credentials. A security incident waiting to happen.
Configuration drift is inevitable
No single source of truth for what secrets an app needs. Dev, staging, and production desync. Deployments fail. Nobody knows which config is correct.
One model, one source of truth
A single mapping file defines what secrets your app needs. Git-versioned. PR-reviewable. The same contract across every environment.
Consistent resolution everywhere
CLI for local dev, GitHub Action for CI/CD, runtime SDKs for app startup. Same mapping, same behavior, same result.
Your cloud, no middleman
AWS SSM, Azure Key Vault, or GCP. No SaaS proxy. Secrets stay in your infrastructure. Native IAM/RBAC access control.
Built for real teams
A configuration resolution system designed for security, consistency, and multi-runtime execution.
Single Mapping Model
One JSON contract defines all secrets. Git-versioned, PR-reviewable, diff-able across environments. The model is the product.
Runtime SDKs
Load secrets directly into memory at app startup — Python, .NET, TypeScript, Go, Java. No .env files written to disk. No secrets left behind.
Multi-Provider
AWS SSM, Azure Key Vault, and GCP Secret Manager (coming soon). Your cloud, your rules. No vendor lock-in.
GitHub Action
Pull secrets in CI/CD workflows. Same mapping, zero manual intervention. Drop-in integration.
Bidirectional Sync
Pull secrets to .env files or push .env values back to your cloud provider. Full round-trip support via CLI.
IAM & RBAC Access
Native cloud access control. AWS IAM policies or Azure RBAC define who reads what. No extra auth layer.
Fully Auditable
Every read and write is logged in AWS CloudTrail or Azure Monitor. Complete trace of who accessed what and when.
Zero Infrastructure
No servers, no proxies, no SaaS. Built on native cloud services you already use and pay for.
AWS Profile Support
Multi-account setups? Use --profile to switch between AWS CLI profiles. Perfect for multi-stage environments.
How it works
Define. Resolve. Ship.
Define the mapping model
A JSON file mapping env var names to cloud secret paths. Commit it. Review it in PRs. Diff it between environments. One model for every stage and runtime.
{
"DB_PASSWORD": "/my-app/prod/db-password",
"API_KEY": "/my-app/prod/api-key",
"SECRET_TOKEN": "/my-app/prod/secret-token"
}Resolve with the CLI
One command fetches every secret from your cloud vault and writes them to .env. Use it locally or in scripts. Same mapping, same behavior.
$ envilder --map=param-map.json --envfile=.env
✔ Fetched DB_PASSWORD → ···word
✔ Fetched API_KEY → ···key
✔ Fetched SECRET_TOKEN → ···oken
✔ Environment file written to .envLoad at runtime with SDKs
Skip the .env file entirely. Load secrets directly into your application at startup with native SDKs — Python, .NET, TypeScript, and more.
from envilder import Envilder
# One-liner: load secrets into os.environ
Envilder.load("param-map.json")
# Or resolve as a dict without injecting
secrets = Envilder.from_file("param-map.json").resolve()using Envilder;
// Load into IConfiguration
builder.Configuration.AddEnvilder("param-map.json");
// Or resolve + inject into environment
var client = new EnvilderClient();
var parsed = MapFileParser.Parse("param-map.json");
var secrets = await client.ResolveSecretsAsync(parsed);
EnvilderClient.InjectIntoEnvironment(secrets);Push from dev to the vault
Need to add or rotate a secret? Push values from your local environment back to the cloud provider. No console needed.
$ envilder --push --envfile=.env --map=param-map.json
✔ Pushed DB_PASSWORD → /my-app/prod/db-password
✔ Pushed API_KEY → /my-app/prod/api-key
✔ Pushed SECRET_TOKEN → /my-app/prod/secret-tokenSecrets stay in your vault
No intermediaries. Your cloud manages the storage, rotation, and access control. Envilder resolves — it never stores.
See it in action
Watch how Envilder simplifies secret management in under 2 minutes.
Your cloud. Your choice.
Envilder works with AWS SSM Parameter Store, Azure Key Vault, and GCP Secret Manager (coming soon). Configure inline or via CLI flags.
AWS SSM Parameter Store
{
"$config": {
"provider": "aws",
"profile": "prod-account"
},
"DB_PASSWORD": "/my-app/prod/db-password",
"API_KEY": "/my-app/prod/api-key"
} $ envilder --map=param-map.json --envfile=.env
- ✔ Supports GetParameter with WithDecryption
- ✔ AWS Profile support for multi-account
- ✔ IAM policy-based access control
- ✔ CloudTrail audit logging
Azure Key Vault
{
"$config": {
"provider": "azure",
"vaultUrl": "https://my-vault.vault.azure.net"
},
"DB_PASSWORD": "my-app-prod-db-password",
"API_KEY": "my-app-prod-api-key"
} $ envilder --provider=azure --vault-url=https://my-vault.vault.azure.net --map=param-map.json --envfile=.env
- ✔ Auto-normalizes secret names (slashes → hyphens)
- ✔ DefaultAzureCredential authentication
- ✔ Azure RBAC access control
- ✔ Azure Monitor audit logging
GCP Secret Manager
Coming soon{
"$config": {
"provider": "gcp",
"projectId": "my-project-id"
},
"DB_PASSWORD": "my-app-prod-db-password",
"API_KEY": "my-app-prod-api-key"
} $ envilder --provider=gcp --map=param-map.json --envfile=.env
- ✔ Google Cloud Secret Manager integration
- ✔ Application Default Credentials (ADC)
- ✔ IAM-based access control
- ✔ Cloud Audit Logs
Runtime SDKs
Load secrets directly into your application at startup. No .env files, no intermediaries — just your cloud vault and your code.
Python
AvailableLoad secrets with one line. Supports AWS SSM and Azure Key Vault.
pip install envilder.NET
AvailableNative IConfiguration integration. Resolve secrets at startup.
dotnet add package EnvilderGo
PlannedLightweight secret loading for Go services.
Java
PlannedSpring Boot and standalone Java support.
GitHub Action
Pull secrets at deploy time. Drop it into any workflow in minutes.
☁️ AWS SSM
- name: 🪙 Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v6
with:
role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
aws-region: us-east-1
- name: 🔐 Pull Secrets from AWS SSM
uses: macalbert/envilder/github-action@v0
with:
map-file: param-map.json
env-file: .env🔑 Azure Key Vault
- name: 🔑 Azure Login
uses: azure/login@v2
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- name: 🔐 Pull Secrets from Azure Key Vault
uses: macalbert/envilder/github-action@v0
with:
map-file: param-map.json
env-file: .env
provider: azure
vault-url: ${{ secrets.AZURE_KEY_VAULT_URL }}Action inputs
| Input | Required | Description |
|---|---|---|
map-file | Yes | Path to JSON file mapping env vars to secret paths |
env-file | Yes | Path to .env file to generate |
provider | No | Cloud provider: aws or azure (default: aws) |
vault-url | No | Azure Key Vault URL |
Output: env-file-path — Path to the generated .env file
What's new
Latest release highlights. Documentation website is live.
Documentation & Stability
- Documentation website launched at envilder.com — full guides, changelog, and multi-language docs
- Fixed: @types/node moved to devDependencies — no runtime bloat in installs
- Fixed: e2e test flakiness — unique SSM paths per test run prevent race conditions
What's next
Envilder is actively developed. Here's where we're headed.
Pull secrets to .env
Map env var names to cloud secret paths via JSON and generate .env files automatically
Push mode (--push)
Upload .env values or single secrets to cloud provider
GitHub Action
Use Envilder in CI/CD workflows natively
Multi-provider (AWS + Azure)
AWS SSM Parameter Store and Azure Key Vault support
Documentation website
Dedicated docs site with guides, examples, API reference
Python SDK (envilder)
Runtime library for Django/FastAPI/data pipelines. Published to PyPI
.NET SDK (Envilder)
Runtime library for enterprise apps and Azure-native shops. Published to NuGet
TypeScript SDK (@envilder/sdk)
Up nextNative runtime library — load secrets directly into process.env from a map-file. Published to npm
Go SDK (envilder)
Up nextRuntime library for cloud-native apps and Kubernetes tooling. Published as Go module
Java SDK (envilder)
Up nextRuntime library for Spring Boot and Android backends. Published to Maven Central
Exec mode (--exec)
Inject secrets into child process without writing to disk
GCP Secret Manager
Third cloud provider — completes the multi-cloud trident
AWS Secrets Manager
Support JSON-structured secrets alongside SSM Parameter Store
Check/sync mode (--check)
Validate cloud secrets vs local .env — fail CI if out-of-sync
Get started
Up and running in under a minute.
Prerequisites
- Node.js v20+
- AWS CLI configured (for AWS SSM)
- Azure CLI configured (for Azure Key Vault)
- IAM permissions:
ssm:GetParameter/ssm:PutParameter
Install
Quick start
- Create a param-map.json mapping env vars to secret paths
- Run envilder --map=param-map.json --envfile=.env
- Your .env file is ready ✔