Usage Examples

Docker

EnvVault provides two purpose-built CLI commands for Docker workflows: envv docker-env emits an env-file and envv docker-run wraps any docker / compose invocation. See the CLI Docker guide for the full flag reference.

Single Container

# Generate an env-file and run a container with it
envv docker-env -e production > .env.prod
docker run --rm --env-file=.env.prod my-image:latest

# Or wrap it in one shot
envv docker-run -e production -- docker run --rm my-image:latest

Docker Compose

# docker-compose.yml — refer to vars without committing values
services:
  web:
    image: my-image
    environment:
      DATABASE_URL: ${DATABASE_URL}
      STRIPE_SECRET_KEY: ${STRIPE_SECRET_KEY}

# Bring the stack up with secrets injected
envv docker-run -e production -- docker compose up -d

Hot-Restart After Rotation

envv secrets set DATABASE_URL=postgres://newhost/db -e production
envv docker-run -e production --restart -- docker compose up -d

--restart stops and recreates matching containers so the new secret is picked up.

Build-Time Secrets

For values needed during docker build (e.g. NPM tokens), pipe an env-file via BuildKit:

envv docker-env -e production > /tmp/build.env
DOCKER_BUILDKIT=1 docker build --secret id=envvault,src=/tmp/build.env -t my-image .

Image with EnvVault Baked In

# Dockerfile
FROM node:20
COPY --from=envvault/cli:latest /usr/local/bin/envv /usr/local/bin/envv
WORKDIR /app
COPY package*.json ./
RUN npm ci
COPY . .
CMD ["envv", "run", "-e", "production", "--", "node", "server.js"]

Pass ENVVAULT_TOKEN at docker run time. Avoid baking the token into the image.