DEV Community

Cover image for From chaos to consistency: how we centralized secrets with AWS SSM and a simple CLI
Marçal Albert
Marçal Albert

Posted on

From chaos to consistency: how we centralized secrets with AWS SSM and a simple CLI

#aws #devops #cli #opensource

At M47, security is one of our concerns across all our AI and cloud-native projects. That’s why we store all sensitive configurations in a secure and centralized place like the AWS SSM Parameter Store. While our repositories are private, that’s not enough. Secrets don’t belong in code.

We deliberately use Parameter Store over Secrets Manager because our needs don’t require secret rotation or tight lifecycle policies, and SSM gives us all the flexibility and control we need for storing tokens, API keys, and service credentials.

But then comes the friction:

Every time we onboard someone, clone a project, create/update a new CD pipeline, or adjust a Dockerfile, we have to manually fetch and sync secrets. This leads to overhead, mistakes, and inconsistencies between local and CD pipelines.

That’s why I built Envilder. A CLI tool to automate the generation of .env files from a single source of truth: AWS SSM.

It helps us:

  • Keep secrets in one place (SSM)
  • Stay consistent across teams and environments
  • Avoid copy-pasting or writing fragile scripts

Since we often work with multiple AWS CLI profiles, Envilder also supports switching profiles easily to handle multi-account setups.

👉 GitHub repo

👉 [Full guide continues below ⬇️]

💡 What does it do?

Envilder reads a mapping file that links environment variable names to AWS SSM parameter paths. Then it fetches the values securely and writes a clean .env file.

🧩 Example

Your param-map.json might look like this:

{
  "DB_HOST": "/my-app/dev/DB_HOST",
  "DB_PASSWORD": "/my-app/dev/DB_PASSWORD"
}
Enter fullscreen mode Exit fullscreen mode

Run:

envilder --map=param-map.json --envfile=.env
Enter fullscreen mode Exit fullscreen mode

And you get:

DB_HOST=mydb.cluster-xyz.rds.amazonaws.com
DB_PASSWORD=supersecret
Enter fullscreen mode Exit fullscreen mode

You can also use different AWS CLI profiles:

AWS_PROFILE=staging envilder --map=param-map.json --envfile=.env
Enter fullscreen mode Exit fullscreen mode

👥 Why it helps teams

This small tool makes a big difference when:

  • 🧑‍💻 Onboarding new team members: no more “what’s the DB password?”
  • 🔄 Keeping environments in sync: any change in SSM is reflected across the team
  • ⚙️ CI/CD pipelines always up-to-date: e.g. GitHub Actions, CodeBuild, GitLab
  • 🧼 Centralized configuration: avoid duplication and keep secrets in one secure place
  • 🧭 Supports multiple AWS profiles: ideal for multi-account or multi-env setups

✅ Features

  • Works with SecureString and plain parameters
  • CLI-first, fast, and script-friendly
  • Compatible with any CI/CD system
  • Supports static values and fallbacks
  • AWS profile support (AWS_PROFILE)

📦 Install 

npm install -g envilder
Enter fullscreen mode Exit fullscreen mode

Or:

envilder --map=param-map.json --envfile=.env --profile=aws-account
Enter fullscreen mode Exit fullscreen mode

🙌 I’d love your feedback

It’s still an early-stage project, but already helpful in several real-world teams.

If this sounds familiar, or you’ve solved this differently, I’d love to hear from you.

GitHub: https://github.com/macalbert/envilder

Top comments (0)