dotEnv
Integrations

AWS

Use the dotEnv CLI to deliver secrets to AWS compute such as ECS, Lambda, and EC2.

Back to all guides

dotEnv Cloud has no AWS-specific service integration. There is no Parameter Store sync or Lambda extension to configure. Instead you run the dotEnv CLI wherever your code runs on AWS and pull secrets at deploy or boot time. This guide covers the three most common AWS compute targets.

Store the API key

However you run on AWS, the CLI authenticates with an organization API key supplied through DOTENV_API_KEY. Keep the key itself in a trusted store such as AWS Secrets Manager or an SSM parameter, and load it into the environment just before the CLI runs.

EC2 and Auto Scaling

On a plain EC2 instance, install the CLI in your user-data or configuration management and pull a .env file as part of the boot sequence:

user-data.sh
#!/bin/bash
set -e
curl -sSL https://dotenv.cloud/install.sh | bash
# DOTENV_API_KEY is fetched from your secret store here
export DOTENV_API_KEY="$(aws secretsmanager get-secret-value \
  --secret-id dotenv-api-key --query SecretString --output text)"
dotenv pull my-app/production/api --output=/etc/my-app/.env

ECS / Fargate

For containers on ECS, follow the entrypoint pattern from the Docker guide: bake the CLI into the image and have the entrypoint pull secrets before exec-ing your app. Provide DOTENV_API_KEY to the task through the task definition's secrets block, which pulls it from Secrets Manager or SSM at task start.

entrypoint.sh
#!/bin/sh
set -e
eval "$(dotenv export my-app/production/api --format=shell)"
exec ./my-app

Lambda

Lambda's execution model makes per-invocation CLI calls impractical, so the recommended approach is to pull secrets during your build or deploy step and ship them as Lambda environment variables. Render JSON and feed it into your deploy tooling:

terminal
# Produce JSON for your IaC or the AWS CLI at deploy time
dotenv pull my-app/production/api --format=json --output=env.json
# Example: apply with the AWS CLI
aws lambda update-function-configuration \
  --function-name my-app \
  --environment "Variables=$(cat env.json)"
Lambda environment variables are visible to anyone with read access to the function configuration. For highly sensitive values, pull them at cold start inside the handler instead.

Client-managed encryption

If the project is client-managed, the pulling step needs the encryption key too. Store it alongside the API key in Secrets Manager and expose it as DOTENV_CLIENT_KEY, or write it to a file and pass --client-key. Decryption always happens locally on the AWS compute, so dotEnv Cloud never sees the key.

Continue with Azure DevOps for a pipeline-focused walk-through.