Load Secrets from env.yml
As we had previously mentioned, we do not want to store our secret environment variables in our code. In our case it is the Stripe secret key. In this chapter, we’ll look at how to do that.
We have a env.example
file for this exact purpose.
Start by renaming the env.example
file to env.yml
and replace its contents with the following.
# Add the environment variables for the various stages
prod:
stripeSecretKey: "STRIPE_PROD_SECRET_KEY"
default:
stripeSecretKey: "STRIPE_TEST_SECRET_KEY"
Make sure to replace the STRIPE_PROD_SECRET_KEY
and STRIPE_TEST_SECRET_KEY
with the Secret key from the Setup a Stripe account chapter. In our case we only have the test versions of the Stripe Secret key, so both these will be the same.
Next, let’s add a reference to these.
Add the following in the custom:
block of serverless.yml
.
# Load our secret environment variables based on the current stage.
# Fallback to default if it is not in prod.
environment: ${file(env.yml):${self:custom.stage}, file(env.yml):default}
The custom:
block of our serverless.yml
should look like the following:
custom:
# Our stage is based on what is passed in when running serverless
# commands. Or fallsback to what we have set in the provider section.
stage: ${opt:stage, self:provider.stage}
# Set our DynamoDB throughput for prod and all other non-prod stages.
tableThroughputs:
prod: 5
default: 1
tableThroughput: ${self:custom.tableThroughputs.${self:custom.stage}, self:custom.tableThroughputs.default}
# Load our webpack config
webpack:
webpackConfig: ./webpack.config.js
includeModules: true
# Load our secret environment variables based on the current stage.
# Fallback to default if it is not in prod.
environment: ${file(env.yml):${self:custom.stage}, file(env.yml):default}
And add the following in the environment:
block in your serverless.yml
.
stripeSecretKey: ${self:custom.environment.stripeSecretKey}
Your environment:
block should look like this:
# These environment variables are made available to our functions
# under process.env.
environment:
tableName:
Ref: NotesTable
stripeSecretKey: ${self:custom.environment.stripeSecretKey}
A quick explanation on the above:
-
We are loading a custom variable called
environment
from theenv.yml
file. This is based on the stage (we are deploying to) usingfile(env.yml):${self:custom.stage}
. But if that stage is not defined in theenv.yml
then we fallback to loading everything under thedefault:
block usingfile(env.yml):default
. So Serverless Framework checks if the first is available before falling back to the second. -
We then use this to add it to our environment variables by adding
stripeSecretKey
to theenvironment:
block using${self:custom.environment.stripeSecretKey}
. This makes it available asprocess.env.stripeSecretKey
in our Lambda functions. You’ll recall this from the previous chapter.
Commit Our Changes
Now we need to ensure that we don’t commit our env.yml
file to git. The starter project that we are using has the following in the .gitignore
.
# Env
env.yml
This will tell Git to not commit this file.
Next let’s commit the rest of our changes.
$ git add .
$ git commit -m "Adding stripe environment variable"
Now we are ready to test our billing API.
If you liked this post, please subscribe to our newsletter, give us a star on GitHub, and follow us on Twitter.
For help and discussion
Comments on this chapter