Variables of Variables in /bin/sh

file_env.sh

#!/bin/sh
file_env() {
    local envVar="$1"
    local fileVar="${envVar}_FILE"
    eval envVarContents="\$${envVar}"
    eval fileVarContents="\$${fileVar}"
    if [ ! -z "$envVarContents" ] && [ ! -z "$fileVarContents" ]; then
        echo >&2 "error: both $envVar and $fileVar are set (but are exclusive)"
        exit 1
    fi
    local val
    if [ ! -z "${envVarContents}" ]; then
        val="${envVarContents}"
    elif [ ! -z "${fileVarContents}" ]; then
        val=`cat ${fileVarContents}`
    elif [ ! -z "$2" ]; then
        val=$2
    fi
    export "$envVar"="$val"
    unset "$fileVar"
}

###########################
## Example Script Use
###########################
file_env 'TEST' foo
echo $TEST

###########################
## Example Command Line Use
###########################
#  $ echo 'hi' > /myenv
#  $ ./file_env.sh
#  foo
#  $ TEST=asdf ./file_env.sh
#  asdf
#  $ TEST_FILE=/myenv ./file_env.sh
#  hi

I use this to get non-critical Docker Secrets into environment variables.

docker exec can be controlled by authz plugins, that is what DDC does for example. Writing to environment variables is writing the clear text to a place that the system has no real control over. The whole point is to keep secrets in only one single in memory controlled place, with as restricted access as possible. Keeping secrets out of environment variables is a deliberate design decision and is not going to be reversed.
-- justincormack commented on Feb 10, 2017

Example:

• The first-run of a new mariadb image to specify MYSQL_ROOT_PASSWORD_FILE