JetBrains IDEs
Inject secrets from Phase directly into your JetBrains IDE run configurations — IntelliJ IDEA, PyCharm, GoLand, WebStorm, RubyMine and others — using the EnvFile plugin. No plaintext .env on disk, no code changes, and your existing run configuration stays exactly as-is. This is especially useful for users who either don't have their application set up to read secrets from environment variables and or can't start their application stack using a single entrypoint.
Why not phase run?
phase run works when your application has a single launch command you can prefix. Many JetBrains run configurations don't — managed application servers like Tomcat, Jetty or WildFly start the JVM through the IDE's own integration, so there is no command for you to put phase run in front of, and secrets never get injected.
Instead, point the EnvFile plugin at a small script that pulls secrets from Phase at launch. EnvFile injects them as environment variables into the run configuration's process — the same mechanism a static .env file uses, but sourced from Phase and never written to disk.
Prerequisites
- Have signed up for the Phase Console and created an application
- Install the CLI and authenticate the
phaseCLI - Install the EnvFile plugin (Settings → Plugins → Marketplace → "EnvFile")
If you are using a Self-Hosted instance of the Phase Console, supply the
PHASE_HOST environment variable with your URL (https://<HOST>) inside the
script below.
Setup
- Link your project
In the root of your project, link it to a Phase app and environment. This creates a .phase.json (it holds the app and environment IDs, not secrets, so it's safe to commit).
phase init
- Add an export script
Create phase-env.sh in the root of your project and make it executable. EnvFile runs it on every launch and parses its output as environment variables.
phase-env.sh
#!/usr/bin/env bash
set -euo pipefail
cd "$(dirname "$0")" # so .phase.json is picked up
exec phase secrets export --env dev
chmod +x phase-env.sh
GUI-launched IDEs (especially via JetBrains Toolbox) often start with a
minimal PATH and may not find phase. If the script fails, replace phase
with the absolute path from which phase.
- Wire it into your run configuration
Open your run configuration → EnvFile tab → check Enable EnvFile. Click +, add phase-env.sh, and tick the executable checkbox for that entry so EnvFile runs it instead of reading it as a static file. Remove any .env entry you no longer need.
This produces the following in your run configuration XML:
<extension name="net.ashald.envfile">
<option name="IS_ENABLED" value="true" />
<ENTRIES>
<ENTRY IS_ENABLED="true" PARSER="runconfig" IS_EXECUTABLE="false" />
<ENTRY IS_ENABLED="true" PARSER="env" IS_EXECUTABLE="true" PATH="$PROJECT_DIR$/phase-env.sh" />
</ENTRIES>
</extension>
- Run
Start your run configuration as usual. Secrets are pulled fresh from Phase and injected as environment variables — your application reads them with System.getenv("MY_SECRET") (or @Value("${MY_SECRET}") / Environment in Spring) with no code changes.