{"id":24698623,"url":"https://github.com/faradayio/secretfile","last_synced_at":"2026-02-24T01:34:06.648Z","repository":{"id":136464917,"uuid":"57159452","full_name":"faradayio/Secretfile","owner":"faradayio","description":"Secretfile spec and resources for safely injecting secrets from stores like Vault into your app","archived":false,"fork":false,"pushed_at":"2016-04-26T23:35:24.000Z","size":2,"stargazers_count":0,"open_issues_count":1,"forks_count":0,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-10-28T20:45:37.301Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/faradayio.png","metadata":{"files":{"readme":"readme.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2016-04-26T20:22:12.000Z","updated_at":"2016-04-26T21:19:52.000Z","dependencies_parsed_at":"2023-04-21T07:02:22.645Z","dependency_job_id":null,"html_url":"https://github.com/faradayio/Secretfile","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/faradayio/Secretfile","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/faradayio%2FSecretfile","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/faradayio%2FSecretfile/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/faradayio%2FSecretfile/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/faradayio%2FSecretfile/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/faradayio","download_url":"https://codeload.github.com/faradayio/Secretfile/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/faradayio%2FSecretfile/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29766661,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-24T01:28:30.166Z","status":"ssl_error","status_checked_at":"2026-02-24T01:28:27.518Z","response_time":90,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-01-27T04:29:31.636Z","updated_at":"2026-02-24T01:34:06.642Z","avatar_url":"https://github.com/faradayio.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"![](http://s3.amazonaws.com/faraday-assets/wilsons-banner.svg)\n\n# Secretfile\n\nA simple, standard, open pattern for safely using secrets from secure stores like Vault in your applications.\n\n## Background\n\n**Applications need secrets**—API keys for integrated services, database credentials, etc. With any luck, you likely stopped including these secrets in your codebase long ago. If you follow the [twelve-factor app][12factor] pattern, you probably store passwords or other secrets in the environment and safely reference these environment variables in your app code.\n\n**But how do the secrets get put in the environment?** In simple cases, this can be part of a deploy process. But once your application deployment becomes more complex, it's much easier to store passwords in a central, secure store such as Hashicorp's [Vault][vault] or Square's [Keywhiz][keywhiz].\n\n**Now you have a new problem**: should you burden all of your applications with Vault-specific code? What if you switch backing stores, or use different methods in your development environment?\n\n## The Secretfile\n\nThe solution is to relay secrets from the store to the application in a standard way. Introducing the Secretfile:\n\n```\n# Secretfile\nAWS_ACCESS_KEY_ID     secrets/services/aws:id\nAWS_ACCESS_KEY_SECRET secrets/services/aws:secret\nPG_USERNAME           postgresql/$VAULT_ENV/creds/readonly:username\nPG_PASSWORD           postgresql/$VAULT_ENV/creds/readonly:password\n```\n\nIn the `AWS` examples, we're specifying that the secrets named on the left should be drawn from the corresponding Vault path on the right. In the `PG` examples, we show that Secretfile consumers will interpolate environment variables (`$VAR` or `${VAR}`) as needed.\n\n## Installation\n\n1. Create a file called `Secretfile` in your application directory following the format above.\n2. Make sure your secret store is set up in your environment. For example, Vault needs the `VAULT_ADDR` environment variable and a token in either `VAULT_TOKEN` or `~/.vault-token`.\n3. Make the specified secrets available to your application by using either a wrapper tool or a Secretfile client library.\n\n### Wrapper tools\n\n* **[credentials-to-env][c2e]**: Keep using 12factor-style environment variable references in your application to access secrets by translating the Secretfile into your environment. Written in highly portable Rust with static binaries available.\n\n```shell\n$ credentials-to-env myprogram arg1 arg2\n```\n\n### Libraries\n\n* **[credentials][credentials]**: Load secrets from your Secretfile into your Rust application.\n\n```rust\ncredentials::var(\"TOP_SECRET\").unwrap();\n```\n\n* **[SecretGarden][sg]**: Load secrets from your Secretfile into your Ruby application. Includes support for Rails.\n\n```ruby\nSecretGarden.add_backend :vault\ns3 = AWS::S3.new access_key_id: SecretGarden.fetch('AWS_ACCESS_KEY_ID')\n```\n\n### Credits and corporate support\n\n[![Faraday logo](https://s3.amazonaws.com/faraday-assets/files/img/logo.svg)](http://faraday.io)\n\n[Faraday](http://faraday.io) leads the Secretfile project and sponsors [credentials-to-env][c2e], [credentials][credentials], and [SecretGarden][sg].\n\n[12factor]: http://12factor.net/\n[vault]: https://www.vaultproject.io/\n[keywhiz]: https://square.github.io/keywhiz/\n[c2e]: https://github.com/faradayio/credentials_to_env\n[credentials]: https://github.com/emk/credentials\n[sg]: https://github.com/dkastner/secret_garden","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffaradayio%2Fsecretfile","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffaradayio%2Fsecretfile","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffaradayio%2Fsecretfile/lists"}