Can't access env variables from my yml file


Hi there!

I’m on a very similar situation like here:

I don’t want to upload my secret API keys obviously to the repo, thus I’ve created a set of env varialbes in the Project Settings section:

VR_API_KEY = some_value
IMAGGA_API_KEY = some_value
IMAGGA_API_SECRET = some_value

My yml file that contains the secrets is called config.yml, and now I’ve removed the actual values and looks like this

    api-key: ${VR_API_KEY}
    client-id: ${CLARIFAI_CLIENT_ID}
    client-secret: ${CLARIFAI_CLIENT_SECRET}
    api-key: ${IMAGGA_API_KEY}
    api-secret: ${IMAGGA_API_SECRET}

But when I run tests, I expected that those values should be filled, but at the point where I actually read them from the yml file and print them…I get this


Meaning there is no substitution and therefore all tests will fail…what I’m doing wrong here…by the way, I don’t have a circle.yml file yet…do I need one?




You can create a new file just like I used for test variables here - How can I set secrets.yml for test environment for CircleCI?


Hello, thanks! What does that do exactly? Looks like you’re moving this ci file to become your secrets file, I guess I shouldn’t upload this file to the repo right?


I don’t get your solution on the link posted, you actually say:

“Create config/ with test environment variables”…what does that fix from having the file directly? You still have to upload that file to repo no? What’s the benefit? And what are those “test environment variables”? Do you have different credentials for testing and for production? Thanks


My secrets.yml is not on git. I push it directly to the server. replaces secrets.yml while running the test suite on circleci. I use dummy variables or test account credentials for running test suite. These are just used for some initialization. Otherwise I mock the external services in my test suite.


Hello again, still don’t follow…I don’t have test credentials…I have several API client-id and client-secrets, so they’re the real deal, if I put them on I don’t see what’s the difference with having those values in secrets.yml directly…I’m mocking the calls to the APIs but only the response from the endpoints that return data, I want to check that the rest of the flow works as expected, thus I need the valid credentials. Is this encrypted or anything?


If anyone runs into this, the solution was quite simple, I’ve simply ciphered the config.yml file, and then added an instruction on circle.yml to decipher it as config.yml during building…voilá!

More info here:

And here are the magic lines

    # update locally with:
    # openssl aes-256-cbc -e -in secret-env-plain -out secret-env-cipher -k $KEY
    - openssl aes-256-cbc -d -in config-cipher -k $KEY >> config.yml



So I see you have a solution that works for you. Just to add some additional information, config.yml is a YAML file which is a static text file. This is why the environment variables inside of it weren’t parse. That doesn’t happen for a YAML file. circle.yml is an exception because we parse lines of the file as Bash, and Bash does substitute environment variables.

Aside from the solution you found, you could have also ran the sed command on the YML file ot parse the variables out for their actual values from environment variables.

A third solution could have been to store the entire config file in an environment variable, base64 encoded. Then create the file and decode the environment variable during the build process.


Good to know there are other options, thanks Feliciano!