# How to Prevent Hard-Coded Secrets Instead of writing a secret directly into the source code, you should define an alternative mechanism for obtaining the secret at the places where it is used, such as using environment variables or local files *not under version control*, or relaying to an external secret vault (aka secret manager). These are the most common options:
Environment Variables or Configuration files
Using SCM Secrets [GitHub](#user-content-github) [GitLab](#user-content-gitlab)
Using Cloud Secret Management Services [AWS Secrets Manager](#user-content-aws-secrets-manager) [Azure Key Vault](#user-content-azure-key-vault) [Google Cloud Secret Manager](#user-content-google-cloud-secret-manager)
Using a Third-Party Secret Vault [HashiCorp Vault](#user-content-hashicorp-vault) [CyberArk Conjur](#user-content-cyberarj-conjur)
## Environment Variables or Configuration files Taking secrets from environment variables or configuration files works for any programming language and operating system. Environment variables are not hard-coded, but they should be given the value somewhere. Application code and scripts may read the environment variable, but environment variables must be set before the application or script runs. With local files, you may need to enforce that the exclude patterns in `.gitignore` or `.dockerignore` configurations are properly excluding the secret-holding files {% hint style="info" %} With environment variables, it is more difficult to accidentally leak secrets, but be aware that the software may write environment variables for debugging to standard output/error, potentially disclosing the value in publicly available logs. {% endhint %} A popular way to setup environment variables is to load them from an `.env` file, but remember: that file *should never be under version control*. {% hint style="info" %} A `template.env` file containing only the variable names with empty/blank values, and comments explaining which is the secret and how it is used, is a good technique for documenting the secrets needed and for inventory of the secrets used. If that innocuous `template.env` file is under version control and `.env` in `.gitignore`, users can copy `template.env` to `.env`, and then edit the git-ignored `.env` with the real secrets. {% endhint %} The following are examples for how to get a secret from `.env` file for each ecosystem. Replace the name of the environment variable `SECRET_VAR` and `` to the `.env` file accordingly. {% hint style="info" %} Code examples below are illustrative and simplified, with no error handling and configuration. {% endhint %} {% tabs %} {% tab title="JavaScript" %} ```javascript var dotenv = require('dotenv'); dotenv.config({ path: '/.env' }); const secret = process.env.SECRET_VAR; // alternative: load map instead of setting env vars const secrets = {} dotenv.config({ path: '/.env', processEnv: secrets }); const secret = secrets.SECRET_VAR; ``` See [dotenv](https://github.com/motdotla/dotenv) for full details. {% endtab %} {% tab title="Java" %} ```java // See io.github.cdimascio:dotenv-java in Maven Central Dotenv dotenv = Dotenv.configure() .directory("").filename("env") .load(); String secret = dotenv.get("SECRET_VAR"); // ``` See [dotenv-java](https://github.com/cdimascio/dotenv-java) for full details. {% endtab %} {% tab title="Go" %} 
import (
  "os"
  "github.com/joho/godotenv"
)

func my_func() {
  err := godotenv.Load("<path>/.env")
  if err != nil { ... }
  secret := os.Getenv("SECRET_VAR")

  // alternative: load map instead of setting env vars
  reader := getRemoteFile("<path>/.env")
  secrets, err := godotenv.Parse(reader)
  secret := secrets["SECRET_VAR"]
}
See [GoDotEnv](https://github.com/joho/godotenv) for full details. {% endtab %} {% tab title="C#" %} ```csharp using dotenv.net; using System; DotEnv.Load(options: new DotEnvOptions(envFilePaths: new[] {"/.env"})); string secret = Environment.GetEnvironmentVariable("SECRET_VAR"); // alternative: load map instead of setting env vars var secrets = DotEnv.Read(options: new DotEnvOptions(envFilePaths: new[] {"/.env"})); string secret = secrets["SECRET_VAR"]; ``` See [dotenv.net](https://github.com/bolorundurowb/dotenv.net) for full details. {% endtab %} {% endtabs %} ## Using SCM Secrets Collaboration platforms (aka Source Code Management Systems, SCM) and CI/CD tools often provide Secret Management, so CI/CD pipelines may get the secret securely. ### GitHub Secrets in GitHub are variables set in an organization, repository, or repository environment, available to use in GitHub Actions workflows. For secrets stored at the organization-level, access policies control which repositories can use organization secrets. Organization-level secrets let secrets be shared between multiple repositories, which reduces the need for creating duplicate secrets. Updating an organization secret in one location also ensures that the change takes effect in all repository workflows that use that secret. For secrets stored at the environment level, you can enable required reviewers to control access to the secrets. A workflow job cannot access environment secrets until approval is granted by required approvers. Once a secret is registered, it can be referenced in a CI/CD workflow using a `{{ secret.SECRET }}` expression. But if possible, do not pass the secret value to the command to be executed. The command should read the environment variable instead. In the following example, a secret named `API_KEY` is passed to the workflow step in the environment variable `API_KEY`, but its value is then hard-coded in the command line, so it will be visible in the process table: ```yaml steps: - name: Hello world action shell: bash env: # pass the secret as environment variable API_KEY: ${{ secrets.API_KEY }} run: | # Not recommended! ps will show the clear-text secret my-command --key="$API_KEY" ... # my-command must read environment variable API_KEY ``` {% hint style="info" %} Although GitHub Actions automatically redacts ("obfuscates") the contents of all GitHub secrets that are printed to workflow logs, this is not fail-proof. Only a [limited set of secrets](https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions#redacting-secrets-from-workflow-run-logs) are recognized. {% endhint %} Read creating secrets [for a repository](https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository), [for organization](https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-an-organization), or [for environment](https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-an-environment) for details on how to register a secret for GitHub Actions at a given scope. ### GitLab GitLab provides [CI/CD Variables](https://docs.gitlab.com/ee/ci/variables/index.html) as a convenient wau to store and reuse data in a CI/CD pipeline, but they can be exposed by accidental pipeline misconfiguration. GitLab provides support for external secret management providers: * [Vault by HashiCorp](https://docs.gitlab.com/ee/ci/secrets/#use-vault-secrets-in-a-ci-job). * [Google Cloud Secret Manager](https://docs.gitlab.com/ee/ci/secrets/gcp_secret_manager.html). * [Azure Key Vault](https://docs.gitlab.com/ee/ci/secrets/azure_key_vault.html). After [configuring a vault server](https://docs.gitlab.com/ee/ci/secrets/#configure-your-vault-server), you may use vault secrets in a GitLab CI job:
```yaml job_using_vault: id_tokens: VAULT_ID_TOKEN: aud: https://vault.example.com # use your own secrets: SECRET: # translates to secret `ops/data/production/db`, field `password` vault: production/db/password@ops file: false token: $VAULT_ID_TOKEN ``` This stores the value of the secret fetched from the vault into the SECRET variable. Read [Using external secrets in CI](https://docs.gitlab.com/ee/ci/secrets/) for full details. ## Using Cloud Secret Management Services ### AWS Secrets Manager [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/) is the secret vault service in Amazon Web Services platform. The following are examples of how to use the official libraries for getting a secret using different programming languages: {% tabs %} {% tab title="JavaScript" %} ```javascript import { GetSecretValueCommand, SecretsManagerClient, } from "@aws-sdk/client-secrets-manager"; export const getSecretValue = async (secretName: string) => { const client = new SecretsManagerClient(); const response = await client.send( new GetSecretValueCommand({ SecretId: secretName, }), ); console.log(response); if (response.SecretString) { return response.SecretString; } else if (response.SecretBinary) { return response.SecretBinary; } }; let secret = await get_secret("SECRET") ``` See [AWS SDK for JavaScript v3](https://github.com/aws/aws-sdk-js-v3) for further details. {% endtab %} {% tab title="Python" %} The following uses [Boto3](https://github.com/boto/botocore), the official Python interface maintained by AWS. ```python import boto3 client = boto3.client('secretsmanager') secret = client.get_secret_value('SECRET')['SecretString'] ``` See [SecretsManager client](https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/secretsmanager.html) for further details. {% endtab %} {% tab title="Java" %} The [AWS Secrets Manager Java caching client](https://github.com/aws/aws-secretsmanager-caching-java) is the official Java library for accessing AWS Secrets Manager ```java import com.amazonaws.secretsmanager.caching.SecretCache; SecretCache cache = new SecretCache(); String secret = cache.getSecretString("SECRET"); ``` {% endtab %} {% tab title="Go" %} The [secretsmanager](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/secretsmanager) package provides the official API client, operations, and parameter types for AWS Secrets Manager, using the [AWS SDK for Go](https://github.com/aws/aws-sdk-go-v2). ```go import ( "context" "encoding/json" "fmt" "log" "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/config" "github.com/aws/aws-sdk-go-v2/service/secretsmanager" ) cfg, err := config.LoadDefaultConfig(context.TODO(), config.WithRegion(your_region)) if err != nil { ... } client := secretsmanager.NewFromConfig(cfg) input := &secretsmanager.GetSecretValueInput{ SecretId: aws.String(secretName), } result, err := svc.GetSecretValue(input) if err != nil { ... } secret := *result.SecretString ``` {% endtab %} {% tab title="C#" %} 
using Amazon.SecretsManager.Extensions.Caching;

var client = new AmazonSecretsManagerClient();
var response = await GetSecretAsync(client, "SECRET");
if (response is not null && response.SecretString is not null)
{
    string secret = response.SecretString;
}
...

private static async Task<GetSecretValueResponse>
  GetSecretAsync( IAmazonSecretsManager client, string secretName )
{
    var request = new GetSecretValueRequest()
    {
        SecretId = secretName,
        VersionStage = "AWSCURRENT", // the default
    };

    return await client.GetSecretValueAsync(request);
}
For full details, proceed with [Get a Secrets Manager secret value using the .NET AWS SDK](https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets-net-sdk.html). {% endtab %} {% endtabs %} ### Azure Key Vault The [Azure Key Vault](https://azure.microsoft.com/en-us/products/key-vault/) is the secrets management service in Azure. The following shows how to retrieve a secret using the official libraries for some popular languages. {% tabs %} {% tab title="JavaScript" %} The following shows how to use the [@azure/keyvault-secrets](https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/keyvault/keyvault-secrets) package. ```javascript const { SecretClient } = require("@azure/keyvault-secrets"); const { DefaultAzureCredential } = require("@azure/identity"); const keyVaultName = "your-key-vault-name"; const kvUri = `https://${keyVaultName}.vault.azure.net`; const credential = new DefaultAzureCredential(); const client = new SecretClient(kvUri, credential); const secret = await client.getSecret("SECRET"); ``` {% endtab %} {% tab title="Python" %} The [azure-keyvault-secrets](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-secrets) is the official Python library for accessing the Key Vault. ```python from azure.identity import DefaultAzureCredential from azure.keyvault.secrets import SecretClient key_vault_name = "your-key-vault-name" kv_uri = f"https://{key_vault_name}.vault.azure.net" credential = DefaultAzureCredential() client = SecretClient(vault_url=kv_uri, credential=credential) secret = client.get_secret('SECRET').value ``` {% endtab %} {% tab title="Java" %} The following shows how to fetch a secret from Key Vault using the `com.azure:azure-security-keyvault-secrets` library. ```java String keyVaultName = "your-key-vault-name"; String kvUri = "https://" + keyVaultName + ".vault.azure.net"; SecretClient client = new SecretClientBuilder() .vaultUrl(kvUri) .credential(new DefaultAzureCredentialBuilder().build()) .buildClient(); String secret = client.getSecret("SECRET").getValue(); ``` Read [azure-security-keyvault-secrets](https://github.com/Azure/azure-sdk-for-java/blob/main/sdk/keyvault/azure-security-keyvault-secrets/README.md) documentation for full details. {% endtab %} {% tab title="Go" %} The following fetches a secret from Key Vault using [Azure Key Vault Secrets client module for Go](https://github.com/Azure/azure-sdk-for-go/tree/main/sdk/security/keyvault/azsecrets). ```go import ( "context" "fmt" "github.com/Azure/azure-sdk-for-go/sdk/azidentity" "github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets" ) keyVaultName := "your-key-vault-name" kvUri := fmt.Sprintf("https://%s.vault.azure.net", keyVaultName) cred, err := azidentity.NewDefaultAzureCredential(nil) if err != nil {...} client, err := azsecrets.NewClient(kvUri, cred, nil) if err != nil {...} secretResp, err := client.GetSecret(context.Background(), secretName, nil) if err != nil {...} secret = *secretResp.Value ``` {% endtab %} {% tab title="C#" %} The following shows how to fetch a secret using the [Azure Key Vault secret client library for .NET](https://github.com/Azure/azure-sdk-for-net/tree/main/sdk/keyvault/Azure.Security.KeyVault.Secrets). ```csharp using Azure.Identity; using Azure.Security.KeyVault.Secrets; string keyVaultName = "your-key-vault-name"; string kvUri = $"https://{keyVaultName}.vault.azure.net"; var client = new SecretClient(new Uri(kvUri), new DefaultAzureCredential()); var secret = client.GetSecret("SECRET").Value; ``` {% endtab %} {% endtabs %} ### Google Cloud Secret Manager [Secret Manager](https://cloud.google.com/security/products/secret-manager) is Google Cloud’s storage system for API keys, passwords, certificates, and other sensitive data. In the following, `` represents your Google Cloud Project ID, and `SECRET` is the name of the secret to fetch. It is assumed that the latest version of the secret is fetched. Examples can be found in the [Quickstart](https://cloud.google.com/secret-manager/docs/reference/libraries#use) page. {% tabs %} {% tab title="JavaScript" %} The [@google-cloud/secret-manager](https://github.com/googleapis/google-cloud-node/tree/main/packages/google-cloud-secretmanager#secret-manager-nodejs-client) is the official JavaScript library for Secret Manager. The following example shows how to fetch a secret. ```javascript const { SecretManagerServiceClient } = require('@google-cloud/secret-manager').v1; const client = new SecretManagerServiceClient(); async function accessSecretVersion() { const [version] = await client.accessSecretVersion({ name: 'projects//secrets/SECRET/versions/latest', }); return version.payload.data.toString('utf8'); } const secret = await accessSecretVersion(); ``` {% endtab %} {% tab title="Python" %} See [Python Client for Secret Manager](https://github.com/googleapis/google-cloud-python/tree/main/packages/google-cloud-secret-manager). ```python from google.cloud import secretmanager def access_secret(): client = secretmanager.SecretManagerServiceClient() name = "projects//secrets/SECRET/versions/latest" response = client.access_secret_version(request={"name": name}) return response.payload.data.decode("UTF-8") # Usage secret = access_secret() ``` {% endtab %} {% tab title="Java" %} See [Google Secret Management Client for Java](https://github.com/googleapis/google-cloud-java/tree/main/java-secretmanager). ```java import com.google.cloud.secretmanager.v1.SecretManagerServiceClient; import com.google.cloud.secretmanager.v1.AccessSecretVersionRequest; import com.google.cloud.secretmanager.v1.AccessSecretVersionResponse; public static String accessSecret() { String secretName = "projects//secrets/SECRET/versions/latest"; try (var client = SecretManagerServiceClient.create()) { var request = AccessSecretVersionRequest.newBuilder() .setName(secretName) .build(); var response = client.accessSecretVersion(request); return response.getPayload().getData().toStringUtf8(); } catch (Exception e) { throw new RuntimeException(e); } } String secret = accessSecret(); ``` {% endtab %} {% tab title="Go" %} See [Secret Manager API for Go](https://github.com/googleapis/google-cloud-go/tree/main/secretmanager). ```go import ( "context" "fmt" "log" secretmanager "cloud.google.com/go/secretmanager/apiv1" secretmanagerpb "google.golang.org/genproto/googleapis/cloud/secretmanager/v1" ) func accessSecret() (string, error) { ctx := context.Background() client, err := secretmanager.NewClient(ctx) if err != nil {...} defer client.Close() req := &secretmanagerpb.AccessSecretVersionRequest{ Name: "projects//secrets/SECRET/versions/latest", } result, err := client.AccessSecretVersion(ctx, req) if err != nil {...} return string(result.Payload.Data), nuil } secret, err := accessSecret() ``` {% endtab %} {% tab title="C#" %} ```csharp using Google.Cloud.SecretManager.V1; using System; using System.Threading.Tasks; public static async Task AccessSecretAsync(string projectId, string secretId, string versionId) { var client = await SecretManagerServiceClient.CreateAsync(); var secretVersionName = SecretVersionName.FromProjectSecretVersion("", "SECRET", "latest"); var result = await client.AccessSecretVersionAsync(secretVersionName); return result.Payload.Data.ToStringUtf8(); } var secret = await AccessSecretAsync(); ``` See [SecretManagerServiceClient](https://cloud.google.com/dotnet/docs/reference/Google.Cloud.SecretManager.V1/latest/Google.Cloud.SecretManager.V1.SecretManagerServiceClient). {% endtab %} {% endtabs %} ## Using a Third-Party Secret Vault ### HashiCorp Vault [HashiCorp Vault](https://www.vaultproject.io/) is a centralized secrets management system that provides secure storage of sensitive information, such as password, API keys, access tokens or cryptographic keys, encrypted in transit and at rest. It permits dynamic generation for temporary, on-demand credentials, and advanced features like automated key rotation and leasing/renewal of secrets, plus some built-in support for secret revocation. In what follows, we assume a mount point of "secret" and a vault path of "SECRET", and the secret is stored under key "value". {% tabs %} {% tab title="JavaScript" %} See [node-vault](https://www.npmjs.com/package/node-vault), unofficial NPM package for Vault. ```javascript const options = { apiVersion: "v1", endpoint: process.env.VAULT_URL, token: process.env.VAULT_TOKEN }; const vault = require("node-vault")(options); async function getSecret() { const result = await vault.read("secret/SECRET"); return result.data.data.value; } var secret = getSecret(); ``` {% endtab %} {% tab title="Python" %} The following uses [hvac](https://github.com/hvac/hvac), a Python client for Vault and other secret managers. ```python import hvac import os client = hvac.Client(url = os.environ['VAULT_URL'], token = os.environ['VAULT_TOKEN']) client.secrets.kv.v2.configure( max_versions = 20, mount_point = 'secret', ) # Assuming you've already authenticated res = client.secrets.kv.v2.read_secret_version(path='SECRET') secret = res.data.data.value ``` {% endtab %} {% tab title="Java" %} The example uses the (unofficial) [Vault Java Driver](https://github.com/BetterCloud/vault-java-driver). ```java import com.bettercloud.vault.Vault; import com.bettercloud.vault.VaultConfig; import com.bettercloud.vault.VaultException; var config = new VaultConfig() .address(System.getenv("VAULT_URL")) .token(System.getenv("VAULT_TOKEN")) .build(); Vault vault = new Vault(config); String secret = vault.logical().read("secret/SECRET").getData().get("value"); ``` {% endtab %} {% tab title="Go" %} The following example uses the [Vault API](https://pkg.go.dev/github.com/hashicorp/vault/api) official Go library. ```go import ( "os" vault "github.com/hashicorp/vault/api" ) config := vault.DefaultConfig() config.Address = os.Getenv("VAULT_URL") client, err := vault.NewClient(config) if err != nil {...} client.SetToken( os.Getenv("VAULT_TOKEN") ) // default mount point secret. Secret data with string keyed by "value" resp, err := client.Logical().Read("secret/SECRET") if err != nil {...} if resp == nil {...} secret, ok := resp.Data["value"].(string) ``` {% endtab %} {% tab title="C#" %} The following example uses [VaultSharp](https://github.com/rajanadar/VaultSharp), .NET library for Vault. ```csharp using System; using VaultSharp; using VaultSharp.V1.AuthMethods.Token; using VaultSharp.V1.Commons; // recommendation: get url and token from environment string vaultUrl = Environment.GetEnvironmentVariable("VAULT_URL"); string token = Environment.GetEnvironmentVariable("VAULT_TOKEN"); var settings = new VaultClientSettings(vaultUrl, new TokenAuthMethodInfo(token)); var client = new VaultClient(settings); Secret res = await client.V1.Secrets.KeyValue.V2.ReadSecretAsync(path: "SECRET", mountPoint: "secret").Result; string secret = res.Data.Data["value"]; ``` {% endtab %} {% endtabs %} ### CyberArk Conjur [CyberArk Conjur](https://www.conjur.org/) is an open-source security tool for managing secrets and credentials in modern IT environments. The following show how to fetch a secret from CyberArk Conjur for popular programming languages. The environment variables `CONJUR_APPLIANCE_URL`, `CONJUR_ACCOUNT`, `CONJUR_USERNAME` and `CONJUR_APIKEY` contain the configuration needed to authenticate for fetching the secret. Go to [Client Libraries](https://docs.cyberark.com/conjur-open-source/Latest/en/Content/Developer/lp_API_OpenSource.htm?tocpath=Developer%7CClient%20libraries) or for further detail. {% tabs %} {% tab title="Java" %} The following code uses the official [conjur-api-java](https://github.com/cyberark/conjur-api-java) library. ```java import com.cyberark.conjur.api.Conjur; String conjurUrl = System.getenv("CONJUR_APPLIANCE_URL"); String conjurAccount = System.getenv("CONJUR_ACCOUNT"); String conjurUsername = System.getenv("CONJUR_USERNAME"); String conjurApikey = System.getenv("CONJUR_APIKEY"); var credentials = new Credentials(conjurUsername, conjurApikey); var conjur = new Conjur(credentials); String secret = conjur.variables().retrieveSecret("SECRET"); ``` {% endtab %} {% tab title="JavaScript" %} The following code uses the official [conjur-api-java](https://github.com/cyberark/conjur-api-java) library. ```javascript const axios = require('axios'); cont conf = { url: process.env.CONJUR_APPLIANCE_URL, account: process.env.CONJUR_ACCOUNT, username: process.env.CONJUR_USERNAME, apikey: process.env.CONJUR_APIKEY }; async function getConjurSecret() { // Authenticate and get session token const authResponse = await axios.post( `${conf.url}/authn/${conf.account}/${conf.username}/authenticate`, conf.apiKey, { headers: { 'Content-Type': 'text/plain' } } ); const sessionToken = Buffer.from(authResponse.data).toString('base64'); // Retrieve secret const secretResponse = await axios.get( `${conjurUrl}/secrets/${conf.account}/variable/SECRET`, { headers: { Authorization: `Token token="${sessionToken}"` } } ); return secretResponse.data; } var secret = await getConjurSecret(); ``` {% endtab %} {% tab title="Python" %} In Python, there is no official SDK but the REST api could be invoked directly using the `requests` library: ```python import requests import base64 import os conjur_url = os.environ['CONJUR_APPLIANCE_URL'] conjur_account = os.environ['CONJUR_ACCOUNT'] conjur_username = os.environ['CONJUR_USERNAME'] conjur_apikey = os.environ['CONJUR_APIKEY'] def get_conjur_secret(): # Authenticate and get session token auth_url = f"{conjur_url}/authn/{conjur_account}/{conjur_username}/authenticate" auth_response = requests.post(auth_url, data = conjur_apikey) auth_response.raise_for_status() session_token = base64.b64encode(auth_response.content).decode('utf-8') # Retrieve secret secret_url = f"{conjur_url}/secrets/{conjur_account}/variable/SECRET" headers = {"Authorization": f'Token token="{session_token}"'} secret_response = requests.get(secret_url, headers=headers) secret_response.raise_for_status() return secret_response.text secret = get_conjur_secret() ``` {% endtab %} {% tab title="Go" %} The following example retrieves a secret using the community-supported [conjurapi](https://github.com/cyberark/conjur-api-go) Go module. ```go import ( "os" "github.com/cyberark/conjur-api-go/conjurapi" "github.com/cyberark/conjur-api-go/conjurapi/authn" ) // Assumes CONJUR_APPLIANCE_URL and CONJUR_ACCOUNT passed as environment variables config, err := conjurapi.LoadConfig() if err != nil {...} conjur, err := conjurapi.NewClientFromKey(config, authn.LoginPair{ Login: os.Getenv("CONJUR_USERNAME"), APIKey: os.Getenv("CONJUR_APIKEY"), }, ) if err != nil {...} // Retrieve a secret into []byte. secretValue, err := conjur.RetrieveSecret(variableIdentifier) if err != nil {...} secret = string(secretValue) // Retrieve a secret into io.ReadCloser, then read into []byte. // Alternatively, you can transfer the secret directly into secure memory, vault, keychain, etc. secretResponse, err := conjur.RetrieveSecretReader("SECRET") if err != nil {...} secret, err = conjurapi.ReadResponseBody(secretResponse) ``` {% endtab %} {% tab title="C#" %} This example uses the official [Conjur API for .NET](https://github.com/cyberark/conjur-api-dotnet). ```csharp using System; using Conjur; string conjurUrl = Environment.GetEnvironmentVariable("CONJUR_APPLIANCE_URL"); string conjurAccount = Environment.GetEnvironmentVariable("CONJUR_ACCOUNT"); string conjurUsername = Environment.GetEnvironmentVariable("CONJUR_USERNAME"); string conjurApikey = Environment.GetEnvironmentVariable("CONJUR_APIKEY"); Client client = new Client("https://myorg.com", account); string token = client.Login(conjurUsername, conjurApikey); Variable variable = new Variable(client, "SECRET"); var secret = variable.GetValue(); ``` {% endtab %} {% endtabs %}