Environment Variables - Dotfiles Manager

This dotfiles setup provides utilities for managing environment variables, particularly for AWS credentials and Bitwarden session management.

AWS Environment Variables

The aws_env() function exports AWS credentials from configured profiles:

dot_bash_functions:1-18

aws_env() {
profiles=$(aws configure list-profiles)
if echo "${profiles[@]:0}" | grep -q "^$1$" ; then
   AWS_ACCESS_KEY_ID=$(aws configure get aws_access_key_id --profile "$1");
   AWS_SECRET_ACCESS_KEY=$(aws configure get aws_secret_access_key --profile "$1");
   AWS_DEFAULT_REGION=$(aws configure get region --profile "$1");
   export AWS_PROFILE=$1
   export AWS_ACCESS_KEY_ID
   export AWS_SECRET_ACCESS_KEY
   export AWS_DEFAULT_REGION
   echo "$1 environment variables exported";
   env | grep AWS_ | sort
else
   echo "profile '$1' not found"
   echo "profiles availables:"
   echo "${profiles[@]:0}"
fi
}

How It Works

List profiles: Checks available AWS profiles in ~/.aws/config
Validate profile: Ensures requested profile exists
Export credentials: Sets environment variables from profile
Display confirmation: Shows exported AWS variables

Usage

# Switch to work AWS profile
aws_env work

# Switch to personal profile
aws_env personal

# Output:
work environment variables exported
AWS_ACCESS_KEY_ID=AKIA...
AWS_DEFAULT_REGION=us-east-1
AWS_PROFILE=work
AWS_SECRET_ACCESS_KEY=...

Environment Variables Set

AWS_PROFILE - Profile name
AWS_ACCESS_KEY_ID - Access key ID
AWS_SECRET_ACCESS_KEY - Secret access key
AWS_DEFAULT_REGION - Default AWS region

Bitwarden Session Management

The BW_SESSION environment variable stores your Bitwarden session token:

dot_bash_functions:20-24

# Bitwarden session management
bw_unlock() {
    export BW_SESSION=$(bw unlock --raw)
    echo "Bitwarden vault unlocked"
}

Usage

# Unlock vault and export session
bw_unlock

# Verify session is set
echo $BW_SESSION

# Use in chezmoi operations
chezmoi apply

Why It Matters

Chezmoi needs BW_SESSION to access Bitwarden when processing templates:

{{ (bitwarden "item" "my-secret").notes }}

Without BW_SESSION:

Templates fail to process
Chezmoi can’t retrieve secrets
You’ll get authentication errors

AWS Credentials from Bitwarden

AWS credentials are stored in Bitwarden and provisioned via chezmoi templates.

Storage Structure

Bitwarden Item: AWS <environment> Example: AWS work Custom Fields:

aws_access_key_id - Access key
aws_secret_access_key - Secret key
region - Default region

Template Example

{{- if .work_email }}
[work]
aws_access_key_id = {{ (bitwardenFields "item" "AWS work").aws_access_key_id.value }}
aws_secret_access_key = {{ (bitwardenFields "item" "AWS work").aws_secret_access_key.value }}
region = {{ (bitwardenFields "item" "AWS work").region.value }}
{{- end }}

This generates ~/.aws/credentials:

[work]
aws_access_key_id = AKIA...
aws_secret_access_key = ...
region = us-east-1

Security Best Practices

Never Commit Secrets

Never commit these files with plaintext secrets:

.env files
~/.aws/credentials (use templates)
~/.config/ files with tokens
Any file containing API keys

Use Templates for Credentials

Instead of committing credentials:

# BAD: Committing credentials
git add ~/.aws/credentials

# GOOD: Using Bitwarden template
chezmoi add --template ~/.aws/credentials

Then edit the template to use bitwardenFields.

Environment Variable Lifetime

Environment variables persist only in the current shell session:

# Exported in this terminal
aws_env work
echo $AWS_PROFILE  # Outputs: work

# New terminal window
echo $AWS_PROFILE  # Outputs: (empty)

This is a security feature - credentials don’t persist across sessions.

Unset Sensitive Variables

Clear credentials when done:

# Clear AWS credentials
unset AWS_ACCESS_KEY_ID
unset AWS_SECRET_ACCESS_KEY
unset AWS_PROFILE
unset AWS_DEFAULT_REGION

# Lock Bitwarden
bw lock
unset BW_SESSION

Hybrid Work/Personal Setup

This dotfiles configuration supports hybrid environments:

.chezmoi.toml.tmpl:1-14

{{- $name := promptStringOnce . "name" "Your Name" "Julio Lira" -}}
{{- $machine_type := promptStringOnce . "machine_type" "Machine type (personal/work/hybrid)" "hybrid" -}}
{{- $os := promptStringOnce . "os" "Operating System" "linux" -}}
{{- $editor := promptStringOnce . "editor" "Default Editor" "code" -}}

{{- $personal_email := "" -}}
{{- if or (eq $machine_type "personal") (eq $machine_type "hybrid") -}}
{{-   $personal_email = promptStringOnce . "personal_email" "Personal Email" "" -}}
{{- end -}}

{{- $work_email := "" -}}
{{- if or (eq $machine_type "work") (eq $machine_type "hybrid") -}}
{{-   $work_email = promptStringOnce . "work_email" "Work Email" "" -}}
{{- end -}}

Conditional Configuration

Templates can conditionally include work or personal configs:

{{- if .personal_email }}
[personal]
aws_access_key_id = {{ (bitwardenFields "item" "AWS personal").aws_access_key_id.value }}
aws_secret_access_key = {{ (bitwardenFields "item" "AWS personal").aws_secret_access_key.value }}
region = us-west-2
{{- end }}

{{- if .work_email }}
[work]
aws_access_key_id = {{ (bitwardenFields "item" "AWS work").aws_access_key_id.value }}
aws_secret_access_key = {{ (bitwardenFields "item" "AWS work").aws_secret_access_key.value }}
region = us-east-1
{{- end }}

Common Workflows

Starting Work Session

# 1. Unlock Bitwarden
bw_unlock

# 2. Load work AWS credentials
aws_env work

# 3. Verify environment
env | grep AWS_
aws sts get-caller-identity

Switching Contexts

# Switch from work to personal
aws_env personal

# Verify switch
echo $AWS_PROFILE  # Outputs: personal

Ending Session

# Clear credentials
unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_PROFILE AWS_DEFAULT_REGION

# Lock vault
bw lock
unset BW_SESSION

Troubleshooting

AWS Credentials Not Found

# List available profiles
aws configure list-profiles

# Check if credentials file exists
cat ~/.aws/credentials

# Re-apply dotfiles
chezmoi apply

Profile Not Found

If aws_env says profile not found:

Verify profile exists: aws configure list-profiles
Check spelling (case-sensitive)
Ensure credentials file has the profile section

Bitwarden Session Expired

If chezmoi apply fails with Bitwarden errors:

# Check vault status
bw status

# Re-unlock if needed
bw_unlock

# Verify session
echo $BW_SESSION

# Retry chezmoi
chezmoi apply

Environment Variables Not Persisting

Environment variables only exist in current shell:

# Add to ~/.bashrc for permanent functions (already done)
source ~/.bash_functions

# Re-export in each new terminal
aws_env work

Adding New Environment Secrets

1. Store in Bitwarden

Create item with custom fields:

Item name: Service Name
Custom fields: api_key, api_secret, etc.

2. Create Template

chezmoi add --template ~/.config/service/credentials

3. Edit Template

chezmoi edit ~/.config/service/credentials

Add Bitwarden template:

API_KEY={{ (bitwardenFields "item" "Service Name").api_key.value }}
API_SECRET={{ (bitwardenFields "item" "Service Name").api_secret.value }}

4. Apply

bw_unlock
chezmoi apply

5. Source in Shell

source ~/.config/service/credentials
echo $API_KEY

Get Started

Core Concepts

Configuration

Ansible Automation

Secrets Management

Platform Support

Development

Reference

​AWS Environment Variables

​How It Works

​Usage

​Environment Variables Set

​Bitwarden Session Management

​Usage

​Why It Matters

​AWS Credentials from Bitwarden

​Storage Structure

​Template Example

​Security Best Practices

​Never Commit Secrets

​Use Templates for Credentials

​Environment Variable Lifetime

​Unset Sensitive Variables

​Hybrid Work/Personal Setup

​Conditional Configuration

​Common Workflows

​Starting Work Session

​Switching Contexts

​Ending Session

​Troubleshooting

​AWS Credentials Not Found

​Profile Not Found

​Bitwarden Session Expired

​Environment Variables Not Persisting

​Adding New Environment Secrets

​1. Store in Bitwarden

​2. Create Template

​3. Edit Template

​4. Apply

​5. Source in Shell

Build docs developers (and LLMs) love

AWS Environment Variables

How It Works

Usage

Environment Variables Set

Bitwarden Session Management

Usage

Why It Matters

AWS Credentials from Bitwarden

Storage Structure

Template Example

Security Best Practices

Never Commit Secrets

Use Templates for Credentials

Environment Variable Lifetime

Unset Sensitive Variables

Hybrid Work/Personal Setup

Conditional Configuration

Common Workflows

Starting Work Session

Switching Contexts

Ending Session

Troubleshooting

AWS Credentials Not Found

Profile Not Found

Bitwarden Session Expired

Environment Variables Not Persisting

Adding New Environment Secrets

1. Store in Bitwarden

2. Create Template

3. Edit Template

4. Apply

5. Source in Shell