Using environment variables with decK

When you use decK to apply configurations to Kong Gateway, decK reads data in plain text from a state file by default. To improve security, you can also store sensitive information, for example apiKey or client_secret, in environment variables. decK can then read data directly from the environment variables and apply it.

Create environment variables with the DECK_ prefix and reference them as ${{ env "DECK_*" }} in your state file.

The following example demonstrates how to apply an apiKey stored in an environment variable. You can use this method for any sensitive content.

Create an environment variable:
```
export DECK_API_KEY={API_KEY}
```

Save the following snippet into a env-demo.yaml file:

 _format_version: "1.1"
 consumers:
 - keyauth_credentials:
   - key: ${{ env "DECK_API_KEY" }}
   username: demo
   id: 36718320-e67d-4162-8b50-aa685e06c64c
 plugins:
 - config:
     anonymous: null
     hide_credentials: false
     key_in_body: false
     key_in_header: true
     key_in_query: true
     key_names:
     - apikey
     run_on_preflight: true
   enabled: true
   name: key-auth
   protocols:
   - grpc
   - grpcs
   - http
   - https

This snippet enables the key authentication plugin globally and creates a consumer named demo with an apiKey.

Run deck sync -s env-demo.yaml to sync this file.

The output should look something like this, where abc is the apiKey stored in the environment variable:

 creating consumer demo
 creating key-auth abc for consumer 36718320-e67d-4162-8b50-aa685e06c64c
 creating plugin key-auth (global)
 Summary:
   Created: 3
   Updated: 0
   Deleted: 0