1

Can someone explain what's benefits of environment variables in Node.js over regular config file?

In my project I have config.js files with DB details, AWS keys, etc. This file is added to .gitignore and never shared on repository, instead there is demo.config.js file with all required parameters filled with fake creditentials, so you can just copy it as config.js and fill it with correct details after fresh install.

This file is "required" in every file when I need credentials in my project and on my development machine this config file is configured with test server details and with actual production server details on production machine.

Lately I read everywhere that everyone should use environment variables to store credentials safely, but I don't see any benefit to doing so in my project.

I'm not saying it's bad and my approach is better, I just want to know what actual benefit (security or otherwise) will I get with environment variables over my setup?

Nicolo
  • 1,600
  • 2
  • 16
  • 18
  • Can you cite these places and maybe include excerpts that we can critique? I see both mechanisms as valid, but I can understand reprehension with having a config file with passwords lying around. However I can also see why environment variables have drawbacks. – zero298 Mar 18 '19 at 16:45
  • Possible duplicate of [Is it secure to store passwords as environment variables (rather than as plain text) in config files?](https://stackoverflow.com/questions/12461484/is-it-secure-to-store-passwords-as-environment-variables-rather-than-as-plain-t) – zero298 Mar 18 '19 at 16:46

2 Answers2

1

For me it is more like a common standard than anything else. The way how you use config.js is practically the same as using environment variables. But instead of storing the configuration in environment variables, you store it in js file.

The main difference is how you read that config. All mainstream languages I know, will easily allow you to read from environment variables, there is really wide support for it. Reading from config files brings additional complexity as you need to know the structure of that file, how to parse etc. In some languages (maybe node.js) it is probably easy to read from js file, but in others it could be difficult task.

That's why using environment variables is just a common standard and language agnostic. You can even read it in bash scripts etc.

Edit: adding reference to The Twelve-Factor App, the Config section is particularly connected with above question: https://www.12factor.net/config

barell
  • 1,470
  • 13
  • 19
0

One benefits i see when you are using docker for local development and kubernetes or any container orchestration for SIT/UAT etc where config setting is there . In local development we keep all env variable required and move the same on container based system

Chandan
  • 117
  • 1
  • 6