Using Vault Secrets per-Environment

Help Hub
,
1

Hi all. I’m trying to figure out how to use secrets from my Vault on a per-Environment basis. I’d like to re-make the case that this should be a 1st-class feature and not a hacky workaround.

I know this workaround exists. But with the greatest respect to @oliviercuyp, that’s what it is: a workaround. It really shouldn’t be necessary and adds unnecessary complexity.

My use-case

I use Clerk’s Backend API. There’s a single endpoint and you hit Dev or Prod depending on the value of your CLERK_SECRET_KEY which begins sk_test… or sk_prod… – a very common pattern.

It seems obvious that I would like to:

  1. Configure a single Collection for this API.
  2. Store my secret Prod key in the Vault.[^0]
  3. Use the Environments feature, defining CLERK_SECRET_KEY as a variable in each, and using the {{vault:_}} value.
  4. And now just use my Collection, switching Environment as required.

And no, I don’t want 2 Collections. I configure each API call with, say, JSON in the body. For example, adding user metadata to a create invitation call. Multiple collections is now multiple places to keep that updated, and an opportunity to make a mistake.

I rest my case.

[^0]: This key being very secret to me. I store it in 1Password and use their integration to inject it in to my environment. The only place I trust it to be in Postman is in the Vault. You get it, you get all my users.

2

Right now, you’ve got just one local vault, and it’s not connected to any specific environment—so it doesn’t know whether it’s being used for PROD or TEST. Just looking at the environment name isn’t always enough to figure that out.

Since there’s only one vault, you can’t reuse variable names across environments. That means you’ll need to create two separate entries with slightly different names.

One way to make things clearer is to add a variable in each environment that explicitly says what the environment is (like “PROD” or “TEST”). You can then use that variable to automatically set the vault suffix.

If this doesn’t work for you, Postman has a GitHub page where you can suggest new ideas—it’s a great way to get it in front of the right people.

3

Yeah this is the workaround. It works … it’s just a bit hacky.

Ah I had assumed they would be seen here. I’ll do that. Thanks Mike.

5

Thanks for the AI-generated response that mostly re-hashed the existing points (which, of course it did). :unamused_face: