Hey, so I’m having some issues keeping my env variables.

When I update my app.yaml file:

doctl apps update $APPID --spec .do/app.yaml

And then I log into my dashboard only to see the Web UI env variables are now gone. Each time I deploy, I need to re-input them.

What is the process here for keeping them? I can’t deploy my .env file, because it’s not in version control. I don’t want to put my env variables into app.yaml, because that does go into version control.

So I’m stuck here having to copy/paste them for 5 mins each time I change the app.

I think I’m doing something wrong here - any suggestions?

edited by MattIPv4

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Submit an Answer
1 answer

👋 @wesbos

As you may have guessed, the spec is a representation of your app, when updating without the environment variables we take that to mean the current env vars should not be included.

A possible solution is, when creating the environment variables mark the secret ones as secret and when you’re happy with this you can go to the settings tab and view the App Spec which will have encrypted values for your secrets. These values are bound to your app and can be safely stored in your git repository. You can also use this spec to update your app and the encrypted values will continue to work as expected.

  • thanks for the reply. When you say “mark them as secret”. Where is that UI? I see the “encrypt” checkbox in the web UI. When I add one is there, how do I translate the value to my app.yaml spec?

    • My bad, I was using old terminology we removed before launch 😅

      I was referring to the Encrypt checkbox. When you add a variable and check this box we will encrypt it. When you go to the Settings tab on the app you can view the app spec which will contain the encrypted values.

      This app spec can be used from commandline and stored in a git.

      For example, here is one of my specs with a secret:

      name: go-info-webserver
      region: nyc
      - build_command: yarn build
        environment_slug: node-js
        - key: MY_SECRET
          scope: BUILD_TIME
          type: SECRET
          value: EV[1:iyCrKvPG7l9mRBZCVsG54Kl7TV4F6xaK:nw9p64bBzikFsp5hGIQ9+3USvA==]
          branch: main
          deploy_on_push: true
          repo: jonfriesen/go-info-webserver
        name: app-planner
        - path: /

      In addition, if you set an environment type in the spec as type: SECRET and give it a plaintext value, it will be encrypted.

      • okay that works, but where do I get the EV[1:iyCrKvPG7l9mRBZCVsG54K value? It just says “Encrypted”

        • In Settings > there is an App Spec section that will let you view your generated app spec.

          Screen Shot

          I wonder if we should allow you to see the ciphertext in the environment variable field. What do you think?

          • ah I see it now! Yes I’d love to see them in that UI where it’s encrypted. Or just have a CLI tool that converts the popular .env file into this.

          • I just wanted to throw my two-cents in here and say that this workflow feels a little obtuse. If I’m getting this right, you need to:

            1. Copy/paste values from a .env into the web UI.
            2. Click the “encrypt” checkbox next to each one.
            3. Elsewhere in the web UI, find and click the “View” button within the App Spec.
            4. Copy the contents on the page that opens (or save it as a text file).
            5. Add the contents/file to your repository, commit, and push it.
            6. Redeploy.

            I honestly don’t know what the best solution is, but using environment variables is a pretty common practice (especially in a .env file), and shouldn’t be that difficult to integrate.

          • I agree with actualjohn. This workflow is really obtuse.

            This seems like it could be handled much more gracefully.