Exporting to .env
This guide covers generating configuration files for deployment using exports and templates. These are the primary ways to get your secrets into running applications.
Exporting Secrets
The keep export command generates configuration files from your secrets in various formats, perfect for application deployment.
Basic Usage
bash
# Export to .env file
keep export --stage=production --output=.env
# Export as JSON
keep export --stage=local --format=json
# Export as CSV
keep export --stage=production --format=csv
# Export to stdout (default)
keep export --stage=stagingCommand Reference: keep export
| Option | Type | Default | Description |
|---|---|---|---|
--stage | string | interactive | Stage to export secrets from |
--vault | string | default vault | Vault to export secrets from |
--format | string | env | Output format: env, json, csv |
--file | string | stdout | Output file path |
--append | boolean | false | Append to output file instead of overwriting |
--overwrite | boolean | false | Overwrite output file without confirmation |
--only | string | Comma-separated list of keys to include | |
--except | string | Comma-separated list of keys to exclude |
Examples:
bash
# Basic .env export
keep export --stage=production --file=.env
# JSON export for configuration management
keep export --stage=production --format=json --file=config.json
# CSV export for spreadsheets
keep export --stage=production --format=csv --file=secrets.csv
# Export only API-related secrets
keep export --stage=production --only="API_*" --file=api.env
# Export all except certain keys
keep export --stage=production --except="PRIVATE_KEY,SECRET_TOKEN" --file=.env
# Export to stdout for piping
keep export --stage=production --format=json | jq '.API_KEY'Template-Based Export
The keep export --template command combines secrets with template files, allowing you to create complete configuration files with both secrets and static values.
Basic Usage
bash
# Merge template with secrets
keep export --template=.env.template --stage=production --file=.env
# Output to stdout
keep export --template=.env.template --stage=local
# Include all secrets beyond template placeholders
keep export --template=.env.template --stage=production --all --file=.envTemplate Options
| Option | Type | Default | Description |
|---|---|---|---|
--template | string | Template file with placeholders (required) | |
--all | boolean | false | Also append non-placeholder secrets |
--missing | string | fail | Handle missing secrets: fail, skip, blank, remove |
--format | string | env | Output format: env (preserves structure), json (parses data) |
Template Syntax
A template is a .env file where some of the values are placeholders in curly braces {}. For example:
bash
# Specify the vault slug and secret name
API_KEY={ssm:service-api-key}
# If the key name matches the secret name, you can omit the secret name
DB_PASSWORD={ssm}
# Multiple vaults are supported if configured
REDIS_URL={secretsmanager:REDIS_URL}Examples:
bash
# Basic template merge (preserves structure)
keep export --template=.env.template --stage=production --file=.env
# Handle missing secrets gracefully
keep export --template=.env.template --stage=local --missing=skip --file=.env
# Remove lines with missing secrets
keep export --template=.env.template --stage=staging --missing=remove --file=.env
# Template to JSON (parses and transforms data)
keep export --template=.env.template --stage=production --format=json --file=config.json
# Template with all additional secrets
keep export --template=.env.template --stage=production --all --file=.envCreating Templates
The template:add command generates template files from your existing secrets:
bash
# Create template from all secrets in a stage
keep template:add production.env --stage=production
# Create template from specific vault
keep template:add api.env --stage=production --vault=ssm
# Overwrite existing template
keep template:add config.env --stage=staging --overwriteTemplate Validation
Validate templates to ensure all placeholders can be resolved:
bash
# Validate template for a specific stage
keep template:validate app.template --stage=production
# Validate without specifying stage (checks all placeholders)
keep template:validate app.template