bash
8 lines · 1 tab
Kai Nakamura
Apr 2026
1 tab
#!/usr/bin/env bash
set -euo pipefail
export VAULT_ADDR="https://vault.internal:8200"
export VAULT_TOKEN="${VAULT_TOKEN:?missing VAULT_TOKEN}"
DB_PASSWORD=$(vault kv get -field=password secret/production/database)
export DATABASE_URL="postgres://app:${DB_PASSWORD}@db.internal/app_production"
1 file · bash
Explain with highlit
The rule is simple: secrets should not live in source control, logs, or chat transcripts. I keep local development ergonomic with env files that never leave the machine, and I use a real secret manager in shared environments. Retrieval should be audited and rotation should be possible without rewriting the app.
Share this code
Here's the card — post it anywhere.