When writing or running shell scripts, you often rely on environment variables. However, directly embedding them in files or scripts can sometimes introduce security risks. That’s where the envsubst command comes in — it provides a safer and more controlled way to substitute environment variables into files.
The name itself comes from environment substitute. The command scans for variables like $VARIABLE or ${VARIABLE} and replaces them with the corresponding exported values. Importantly, envsubst only recognizes exported variables, not shell-local ones.
Basic Syntax #
envsubst [OPTION] [SHELL-FORMAT]
Example: Replacing Variables in a File #
Let’s say you have a file named confidential.txt with the following content:
A sample file containing password and username!
And should not be shared by any means.
My login credentials are:
username=$USERNAME
password=$PASSWORD
First, export the variables you want to substitute:
export USERNAME=abhiman
export PASSWORD=strongphrase
Now run:
envsubst < confidential.txt
Output:
A sample file containing password and username!
And should not be shared by any means.
My login credentials are:
username=abhiman
password=strongphrase
Unsetting Variables #
You can remove variable values with the unset command:
unset USERNAME PASSWORD
Running envsubst again results in blank substitutions:
username=
password=
This happens because once unset, the variables are null, and envsubst cannot find any values to replace.
Redirecting Output to a File #
Instead of printing results to the terminal, you can redirect them to a new file using >:
envsubst < confidential.txt > Output.txt
Now, Output.txt contains the replaced values:
username=abhiman
password=strongphrase
Substituting Only Specific Variables #
If you’ve exported multiple variables but want to substitute only a subset, you can specify them explicitly in single quotes:
envsubst '$USER $SERVICE' < Substitute.txt
Example Substitute.txt:
Hello, My name is $USER.
And these are login credentials for $SERVICE:
username=$USERNAME
password=$PASSWORD
Not meant for public use!
Export variables:
export USER=sagar
export SERVICE=AWS
export USERNAME=LHB
export PASSWORD=randomphrase
Run substitution for only $USER and $SERVICE:
Hello, My name is sagar.
And these are login credentials for AWS:
username=$USERNAME
password=$PASSWORD
Not meant for public use!
As shown, $USERNAME and $PASSWORD remain unchanged.
Conclusion #
The envsubst command is a simple yet powerful tool for safely replacing environment variables in configuration files, templates, and scripts. By exporting only the variables you want and specifying subsets when necessary, you gain fine-grained control over substitutions.
This makes envsubst especially useful for automation scripts, CI/CD pipelines, and secure configuration management in Linux environments.