Environment variables are the primary means by which the wasmCloud host obtains configuration. For a full list of supported environment variables, check out the host configuration section of the documentation.
When it comes to environment variables, there are, however, some security pitfalls into which it is remarkably easy to fall. In many production scripts that we’ve seen in the past, environment variables are set on the command line along with invoking the script, e.g.
$ ENV_VAR_1=foo ENV_VAR_2=bar ./startapp
The downside to this is that anyone on the same server with access to the process list (generally less secure than explicitly-owned folders) can see all commands used to start all processes. As a precaution, we recommend not following this pattern and instead setting environment variables prior to the execution of a process like the wasmCloud host.
We support the use of .env files, a loose standard around supplying a hierarhical set of files for setting up environment variables to be used by a process. You can also explicitly set environment variables in whatever script you use to launch the wasmCloud host.
In summary, environment variables used by wasmCloud host can contain sensitive information (especially signing keys, which are discussed next), and you need to plan around this and take as many measures as possible to keep environment variable data secure.