Export Formats

The pull command can export your environment variables in different formats beyond the standard .env file. This is useful when you need to deploy variables to container orchestrators, cloud platforms, or CI/CD pipelines without manually converting formats.

Before You Begin

Make sure you have the CLI installed and authenticated. See CLI Overview for setup instructions.

You should also have a project configured, either via envmanager.json or by passing --project to the command.

Supported Formats

FormatDescriptionUse Case
dotenvStandard .env file (default)Local development, most frameworks
docker-composeDocker Compose YAML snippetDocker-based deployments
k8s-secretKubernetes Secret manifestK8s deployments with sensitive data
k8s-configmapKubernetes ConfigMap manifestK8s deployments with non-sensitive config
vercelVercel CLI commandsDeploying to Vercel
railwayRailway CLI commandsDeploying to Railway
renderRender CLI commandsDeploying to Render

Using Export Formats

Specify the format with the --format flag:

envmanager pull --format <format-name>

If no format is specified, the CLI defaults to dotenv.

dotenv (Default)

The standard KEY=value format used by most frameworks and tools.

envmanager pull

Output:

DATABASE_URL=postgres://localhost:5432/mydb
API_KEY="my secret key"
DEBUG=false

Values containing spaces, quotes, or special characters are automatically quoted.

Docker Compose

Generates a YAML snippet you can paste into your docker-compose.yml file.

envmanager pull --format docker-compose -o docker-compose.env.yml

Output:

# Docker Compose environment section
# Copy this into your docker-compose.yml and replace 'app' with your service name
services:
  app:
    environment:
      DATABASE_URL: "postgres://localhost:5432/mydb"
      API_KEY: "my secret key"
      DEBUG: "false"

Replace app with your actual service name in docker-compose.yml.

Kubernetes Secret

Generates a Kubernetes Secret manifest with base64-encoded values. Use this for sensitive data like API keys, database credentials, and tokens.

envmanager pull --format k8s-secret --k8s-name my-app-secrets --k8s-namespace production -o secrets.yaml

Output:

apiVersion: v1
kind: Secret
metadata:
  name: my-app-secrets
  namespace: production
type: Opaque
data:
  DATABASE_URL: cG9zdGdyZXM6Ly9sb2NhbGhvc3Q6NTQzMi9teWRi
  API_KEY: bXkgc2VjcmV0IGtleQ==
  DEBUG: ZmFsc2U=

Apply with kubectl apply -f secrets.yaml.

Kubernetes options:

OptionDescriptionDefault
--k8s-name <name>Resource name in the manifestapp-secrets
--k8s-namespace <ns>Kubernetes namespacedefault

The resource name is automatically sanitized to comply with Kubernetes naming rules (lowercase, alphanumeric and hyphens only, max 63 characters).

Kubernetes ConfigMap

Generates a Kubernetes ConfigMap manifest with plain-text values. Use this for non-sensitive configuration like feature flags, log levels, and URLs.

envmanager pull --format k8s-configmap --k8s-name my-app-config -o configmap.yaml

Output:

apiVersion: v1
kind: ConfigMap
metadata:
  name: my-app-config
  namespace: default
data:
  DATABASE_URL: "postgres://localhost:5432/mydb"
  DEBUG: "false"
  LOG_LEVEL: "info"

The same --k8s-name and --k8s-namespace options apply as with Kubernetes Secrets.

Vercel CLI

Generates shell commands to set environment variables via the Vercel CLI.

envmanager pull --format vercel -o vercel-env.sh

Output:

# Vercel CLI commands to add environment variables
# Run these commands in your project directory
# Docs: https://vercel.com/docs/cli/env
# Note: You may need to run 'vercel login' first

echo 'postgres://localhost:5432/mydb' | vercel env add DATABASE_URL production
echo 'my secret key' | vercel env add API_KEY production

Run the generated script with bash vercel-env.sh.

Railway CLI

Generates shell commands to set environment variables via the Railway CLI.

envmanager pull --format railway -o railway-env.sh

Output:

# Railway CLI commands to set environment variables
# Run these commands in your project directory
# Docs: https://docs.railway.app/reference/cli-api#variables-set
# Note: You may need to run 'railway login' first

railway variables set DATABASE_URL="postgres://localhost:5432/mydb"
railway variables set API_KEY="my secret key"

Render CLI

Generates shell commands to set environment variables via the Render CLI.

envmanager pull --format render -o render-env.sh

Output:

# Render CLI commands to set environment variables
# Run these commands in your project directory
# Docs: https://render.com/docs/cli
# Note: You may need to authenticate first

render env:set DATABASE_URL="postgres://localhost:5432/mydb"
render env:set API_KEY="my secret key"

Setting a Default Format in Config

Instead of passing --format every time, you can set a default in your envmanager.json:

{
  "project_id": "your-project-uuid",
  "environment": "production",
  "output": "secrets.yaml",
  "format": "k8s-secret",
  "k8s_namespace": "production",
  "k8s_name": "my-app-secrets"
}

With this config, running envmanager pull will automatically produce a Kubernetes Secret manifest. You can still override any of these with CLI flags:

# Override the config format for a one-off pull
envmanager pull --format dotenv -o .env

Priority order: CLI flags take precedence over config file values, which take precedence over defaults.

Tips and Best Practices

  • Use dotenv for local development and platform-specific formats only for deployment. Most frameworks and tools expect .env files during development.
  • Combine with --output to give exported files meaningful names. For example, --format k8s-secret -o k8s/secrets.yaml keeps your Kubernetes manifests organized.
  • Separate secrets from config in Kubernetes. Use k8s-secret for sensitive values (API keys, passwords) and k8s-configmap for everything else. This follows Kubernetes security best practices.
  • Review generated shell scripts before running. The Vercel, Railway, and Render formats generate executable commands. Always review the output before piping to bash.
  • The --show-sources and --resolve-references flags only apply to the dotenv format. They are silently ignored for other formats since those formats don't support inline comments.

Get DevOps tips in your inbox

Security best practices and product updates. No spam.

No spam. Unsubscribe anytime.