Glossary

Environment specific secrets is the term used to describe when unique secrets are used in different environments. This is facilitated by substituting environment variables for secrets in code. Through the use of environment variables, secrets with different values can be injected into the same code to configure the program differently. This allows the same code to be used in different environments, like staging, development, or production, without the program’s processes affecting any part of the other environments.

For example, if a program calls for access to a specific database, the team testing the code in development would not want their program to make calls to the database being used in production. Instead, the development team would inject an environment specific secret in place of that database URL in their environment that calls to a test database, so they can work on the code without interfering with the other environment. This environment specific secret is injected at the same location in each environment, marked by its respective environment variable.

Keeping track of environment specific secrets is just as important as using them. This includes adopting intentional naming conventions for secrets and using proper documentation throughout the development process. Making sure configuration files are up-to-date for each team in each environment will ensure that builds are only using the appropriate secrets for their environment and not altering secrets that are supposed to be in a different environment.

It’s similarly important to avoid poor development practices like hardcoding secrets in order to facilitate the use of environment specific secrets. If a secret is written directly into code and not represented by an environment variable, when the code is passed between environments, the same secret will be used in each one. Developers would then have to scan their code for hardcoded secrets and replace each one individually every time the code is moved to a new environment. Not only are hardcoded secrets a security risk, but they also prevent the use of environment specific secrets.