• 🔒 Strict access control - AWS IAM policies control who accesses which secrets (dev vs prod)
• 📊 Full audit trail - All parameter access is logged in CloudTrail for compliance requirements
• 🧩 Single source of truth - No more copying .env files from Notion or emails - SSM is your only source
• 🔁 Idempotent operations - Overwrites values in your .env file only for variables defined in your mapping file, using the latest from SSM. Variables not in the mapping file are preserved. Safe for automation.
• ⚙️ Environment-aware - Use templates like /project/${ENV}/DB_PASSWORD to dynamically fetch the right secrets
• 🧱 No extra infrastructure - Uses AWS SSM's existing reliability instead of additional secret managers

# Install globally
npm install -g envilder

# Create a simple mapping file
echo '{"DB_PASSWORD": "/my-app/db/password"}' > param-map.json

# Generate your .env file
envilder --map=param-map.json --envfile=.env

- Secrets committed to repos
- Manual .env file updates
- Inconsistent environments
- Password sharing via chat/email
- CI/CD secrets management pain

- Secrets stored securely in AWS SSM
- Automated .env file generation
- Consistent environments
- No need to share raw credentials
- Simple CI/CD integration

• 🔐 No more secrets in git - Store credentials in AWS SSM Parameter Store instead of version control
• 🤖 Automate everything - One command to generate your .env files across all environments
• 🔄 Always in sync - Keep your local, dev, and production environments consistent
• 🏎️ Fast to set up - Configure once, then generate .env files with a single command
• 🪶 Simple but powerful - Easy interface with support for encrypted parameters and multiple AWS profiles

Envilder is the tool you need if you:

• 👥 Work in a development team - Ensure everyone has the same environment without sharing raw secrets
• 🔑 Deal with API keys & tokens - Securely store and retrieve sensitive credentials
• ⚙️ Run CI/CD pipelines - Automatically generate environment files during deployments
• ☁️ Use AWS already - Leverage your existing AWS infrastructure more effectively
• 🌐 Manage multiple environments - Switch easily between dev, staging, and production

graph LR
    A[Mapping File] --> B[Envilder]
    C[AWS Credentials] --> B
    B --> D[.env File]
    E[SSM Parameters] --> B

1. 📖 Define your mapping - Simple JSON mapping env vars to SSM paths
2. 🚀 Run Envilder - One command with your mapping file
3. 🔄 Auto-fetch from AWS - Retrieves values using your AWS credentials
4. 💾 Get your .env file - Ready to use in your project

You'll need:

• ✅ AWS CLI - Installed and configured with proper permissions to access SSM Parameter Store
• ✅ Node.js - Version 20.0.0 or higher (as specified in package.json)

1. Install the AWS CLI by following the official instructions.

2. After installation, configure the AWS CLI:

   aws configure

   You'll be prompted to provide:

   • AWS Access Key ID
   • AWS Secret Access Key
   • Default region name (e.g., us-east-1)
   • Default output format (e.g., json)

   Make sure your AWS credentials have the appropriate permissions to access the SSM Parameter Store.

# Using npm
npm install -g envilder

# Using yarn
yarn global add envilder

envilder --map=<mapping-file> --envfile=<output-file> [--profile=<aws-profile>]

1. Create a mapping file param-map.json:

   {
     "SECRET_TOKEN": "/path/to/ssm/token",
     "SECRET_KEY": "/path/to/ssm/password"
   }

2. Generate your .env file:

   envilder --map=param-map.json --envfile=.env

3. Use a specific AWS profile:

   envilder --map=param-map.json --envfile=.env --profile=dev-account

For multiple AWS accounts or environments, configure different profiles in your AWS credentials file:

1. Edit your AWS credentials file (typically located at ~/.aws/credentials on Linux/Mac or %USERPROFILE%\.aws\credentials on Windows):

   [default]
   aws_access_key_id=YOUR_DEFAULT_ACCESS_KEY
   aws_secret_access_key=YOUR_DEFAULT_SECRET_KEY
   
   [dev-account]
   aws_access_key_id=YOUR_DEV_ACCESS_KEY
   aws_secret_access_key=YOUR_DEV_SECRET_KEY
   
   [prod-account]
   aws_access_key_id=YOUR_PROD_ACCESS_KEY
   aws_secret_access_key=YOUR_PROD_SECRET_KEY

2. Specify which profile to use:

   # Development environment
   envilder --map=param-map.json --envfile=.env.development --profile=dev-account
   
   # Production environment
   envilder --map=param-map.json --envfile=.env.production --profile=prod-account

Envilder works brilliantly with environment variables for dynamic parameter paths:

1. Set up your SSM parameters with environment-specific paths:

   /project/dev/DB_PASSWORD
   /project/stage/DB_PASSWORD
   /project/prod/DB_PASSWORD
   

2. Create a template-based mapping file env-map.json:

   {
     "DB_PASSWORD": "/project/${ENV}/DB_PASSWORD"
   }

3. Generate environment-specific .env files:

   # Development
   $env:ENV = "dev"
   envilder --map=env-map.json --envfile=.env.dev
   
   # Staging 
   $env:ENV = "stage"
   envilder --map=env-map.json --envfile=.env.stage
   
   # Production
   $env:ENV = "prod" 
   envilder --map=env-map.json --envfile=.env.prod --profile=prod-account

This approach ensures the right variables are pulled for each environment with minimal configuration.

SECRET_TOKEN[email protected]
SECRET_KEY=mockedPassword

Envilder eliminates common problems in development teams:

• 🛑 No more "it works on my machine" - Everyone uses the exact same environment variables from the same source
• 🔄 Always fresh credentials - Update a secret in SSM and everyone gets it automatically on next run
• 🛡️ Access control built-in - Developers only see dev secrets, CI/CD systems see what they need
• 🧠 Zero mental overhead - No need to remember which variables are needed - the mapping defines everything
• 🚫 No more sharing secrets - Stop pasting credentials in Slack, email, or Notion documents
• 📋 Compliance ready - All accesses are logged in AWS CloudTrail for auditing

yarn test

Check the current coverage report: Coverage Report

This project is licensed under the MIT License - see the LICENSE file for details.

Contributions are welcome! Feel free to submit issues and pull requests.