Skip to main content

Using the envsubst Command to Replace Environment Variables

·393 words·2 mins
Envsubst Linux Shell Script Environment Variables
Table of Contents

When writing or running shell scripts, you often rely on environment variables. However, directly embedding them in files or scripts can sometimes introduce security risks. That’s where the envsubst command comes in — it provides a safer and more controlled way to substitute environment variables into files.

The name itself comes from environment substitute. The command scans for variables like $VARIABLE or ${VARIABLE} and replaces them with the corresponding exported values. Importantly, envsubst only recognizes exported variables, not shell-local ones.


Basic Syntax
#

envsubst [OPTION] [SHELL-FORMAT]

Example: Replacing Variables in a File
#

Let’s say you have a file named confidential.txt with the following content:

A sample file containing password and username!

And should not be shared by any means.

My login credentials are:

        username=$USERNAME
        password=$PASSWORD

First, export the variables you want to substitute:

export USERNAME=abhiman
export PASSWORD=strongphrase

Now run:

envsubst < confidential.txt

Output:

A sample file containing password and username!

And should not be shared by any means.

My login credentials are:

        username=abhiman
        password=strongphrase

Unsetting Variables
#

You can remove variable values with the unset command:

unset USERNAME PASSWORD

Running envsubst again results in blank substitutions:

username=
password=

This happens because once unset, the variables are null, and envsubst cannot find any values to replace.


Redirecting Output to a File
#

Instead of printing results to the terminal, you can redirect them to a new file using >:

envsubst < confidential.txt > Output.txt

Now, Output.txt contains the replaced values:

username=abhiman
password=strongphrase

Substituting Only Specific Variables
#

If you’ve exported multiple variables but want to substitute only a subset, you can specify them explicitly in single quotes:

envsubst '$USER $SERVICE' < Substitute.txt

Example Substitute.txt:

Hello, My name is $USER.

And these are login credentials for $SERVICE:

        username=$USERNAME
        password=$PASSWORD

Not meant for public use!

Export variables:

export USER=sagar
export SERVICE=AWS
export USERNAME=LHB
export PASSWORD=randomphrase

Run substitution for only $USER and $SERVICE:

Hello, My name is sagar.

And these are login credentials for AWS:

        username=$USERNAME
        password=$PASSWORD

Not meant for public use!

As shown, $USERNAME and $PASSWORD remain unchanged.


Conclusion
#

The envsubst command is a simple yet powerful tool for safely replacing environment variables in configuration files, templates, and scripts. By exporting only the variables you want and specifying subsets when necessary, you gain fine-grained control over substitutions.

This makes envsubst especially useful for automation scripts, CI/CD pipelines, and secure configuration management in Linux environments.

Related

How to Monitor Thread Count for Each Microservice in Linux
·502 words·3 mins
Linux CPU Thread Top Microservices Monitoring
Kali Linux – The Swiss Army Knife of Penetration Testing
·516 words·3 mins
Kali Linux Penetration Testing Wireshark Cybersecurity Ethical Hacking