Environment Variables Best Practices for Cloud Deployments

# Environment Variables Best Practices for Cloud Deployments

Environment variables are the glue between your application code and its configuration. Done wrong, they cause security breaches, production outages, and the kind of 3am debugging sessions that make developers consider career changes. Done right, they are invisible — your app just works.

Here are eight best practices for managing environment variables in cloud deployments, with PandaStack-specific implementation guidance.

1. Never Commit Secrets to Git

This should be obvious, but it still happens. Database passwords, API keys, and JWT secrets committed to a public GitHub repository are often found and exploited within hours.

Use .gitignore for local .env files:

.env
.env.local
.env.*.local
.env.production

Verify no secrets are tracked:

git ls-files | grep ".env"

If you accidentally committed a secret, assume it is compromised. Rotate it immediately.

2. Use .env.example for Documentation

Commit a .env.example file that lists every required variable with placeholder values:

# Database
DATABASE_URL=postgresql://user:password@host:5432/dbname

# Authentication
JWT_SECRET=your-secret-here
JWT_EXPIRES_IN=7d

# External APIs
STRIPE_SECRET_KEY=sk_test_...
SENDGRID_API_KEY=SG.xxx

This documents what your application needs without exposing real values. New team members know exactly what to configure.

3. Separate Variables by Environment

Maintain distinct variable sets for development, staging, and production:

• Development: relaxed security, verbose logging, local database
• Staging: production-like config, test credentials, staging database
• Production: strict security, minimal logging, production credentials

Never use production credentials in development or staging.

4. Set Variables in PandaStack — Not in Your Dockerfile

Do not hardcode variables in your Dockerfile:

# WRONG - never do this
ENV DATABASE_URL=postgresql://user:password@db.pandastack.io:5432/prod_db

Instead, set them in your PandaStack deployment settings:

1. 1Go to your deployment → Environment Variables
2. 2Click Add Variable
3. 3Enter the key and value
4. 4Click Save

PandaStack encrypts variable values at rest and never exposes them in build logs.

Via CLI:

panda env set DATABASE_URL="postgresql://user:password@host/db"
panda env set JWT_SECRET="$(openssl rand -hex 32)"

5. Validate Environment Variables at Startup

Fail fast if required variables are missing rather than letting your app crash in unexpected ways:

// Node.js example using zod
import { z } from 'zod'

const EnvSchema = z.object({
    DATABASE_URL: z.string().url(),
    JWT_SECRET: z.string().min(32),
    PORT: z.coerce.number().default(3000),
    NODE_ENV: z.enum(['development', 'staging', 'production']),
})

export const env = EnvSchema.parse(process.env)

If a variable is missing or invalid, the process exits with a clear error message at startup rather than failing mysteriously at runtime.

6. Use Structured Naming Conventions

Consistent naming makes variables self-documenting:

# Database connections
APP_DB_URL=postgresql://...
CACHE_REDIS_URL=redis://...

# External service credentials
STRIPE_SECRET_KEY=...
STRIPE_WEBHOOK_SECRET=...

# Feature flags
FEATURE_NEW_DASHBOARD=true

Use uppercase with underscores. Prefix with the service or component name. Avoid vague names like KEY, SECRET, or TOKEN.

7. Rotate Secrets Regularly

Treat secrets like passwords — rotate them periodically:

1. 1Generate a new secret
2. 2Add the new value to PandaStack without removing the old one
3. 3Deploy and verify the new secret works
4. 4Remove the old secret

Set a calendar reminder to rotate credentials every 90 days, or immediately after any team member with access leaves.

8. Audit Access with RBAC

PandaStack's RBAC controls who can view and edit environment variables:

Review team member roles regularly. When someone leaves your organization, remove their access from PandaStack immediately — their account access to your secrets ends instantly.

Add and remove members: Dashboard → Organization → Members.

Full docs: [docs.pandastack.io](https://docs.pandastack.io).