Syncs environment variables between AWS Parameter Store and your deployment platforms. Built this after mass spending a Friday night debugging why production had old database creds.
You have one source of truth (AWS Parameter Store), this pushes to everywhere else:
AWS Parameter Store → Vercel, Heroku, Railway, local .env
npm install -g vault-syncvault-sync initThis creates .vault-sync.yaml. Edit it:
source:
type: aws
region: us-east-1
prefix: /myapp/prod/
targets:
- type: vercel
project: my-frontend
- type: heroku
app: my-backend
- type: local
path: .envPush to all targets:
vault-sync pushSyncing from AWS Parameter Store...
✓ Vercel (production) 4 updated
✓ Heroku (myapp) 4 updated
✓ .env 4 updated
Done.
Check what's out of sync without changing anything:
vault-sync diffPull from source to local .env only:
vault-sync pullvault-sync push --dry-run # preview changes
vault-sync push --env staging # specific environment
vault-sync push --filter "DB_*" # only matching varsSources: AWS Parameter Store, AWS Secrets Manager, HashiCorp Vault, 1Password
Targets: Vercel, Heroku, Railway, Netlify, Fly.io, local .env
- Needs AWS credentials configured (
aws configureor env vars) - Vercel/Heroku need their CLI tools installed and logged in
- Doesn't store secrets anywhere - streams directly between services
- Fly.io target is slow (~5s per variable) because their API doesn't support batch updates
- Railway target doesn't work with team projects yet, only personal
MIT