2 minutes reading time
Serverless Express

Serverless with Express

In this tutorial, learn how to integrate Dotenv Vault with Serverless. This tutorial assumes you are already familiar with the Serverless README.

Install dotenv-vault

Create your local .env file.


Add dotenv-vault-core to package.json.

$ npm install dotenv-vault-core --save

In handler.js, as early as possible, require dotenv-vault-core.

// handler.js

const serverless = require("serverless-http");
const express = require("express");
const app = express();

app.get("/", (req, res, next) => {
  return res.status(200).json({
    message: `Hello ${process.env.HELLO}!`,


Test that it is working by invoking your function locally.

$ serverless invoke local --function api

You will receive output like the following.

  "statusCode": 200,
  "headers": {
    "x-powered-by": "Express",
    "content-type": "application/json; charset=utf-8",
    "content-length": "26",
    "etag": "W/\"1a-iEQ9RXvkycqsT4vWvcdHrxZT8OE\""
  "isBase64Encoded": false,
  "body": "{\"message\":\"Hello World!\"}"

Great! Next build the localized .env.vault file for deploy.

Build .env.vault

Set a production value for when we deploy. I set it to HELLO=Production. Run dotenv-vault open to edit production values.

$ npx dotenv-vault open production

Then build your localized encrypted .env.vault file.

$ npx dotenv-vault build

Great! Commit your .env.vault file to code. It is safe to do so. It is a localized encrypted vault of your environment variables.

Deploy with DOTENV_KEY

Configure serverless.yml to inject the DOTENV_KEY.

IMPORTANT: Also add a package ignore pattern for your .env.me and .env files. You want serverless to only package your .env.vault file.

# serverless.yml
  name: aws
  runtime: nodejs14.x

    - '!.env*'
    - '.env.vault'


Run npx dotenv-vault keys to view your decryption key.

$ npx dotenv-vault keys production
remote:   Listing .env.vault decryption keys... done


Deploy by setting DOTENV_KEY as a param.

serverless deploy --param "DOTENV_KEY=dotenv://:key_1234@dotenv.org/vault/.env.vault?environment=production"

Your app will say ‘Hello Production’.

That’s it! On deploy, Serverless will inject DOTENV_KEY as an environment variable. On function execution, your .env.vault will be decrypted and load the production environment variables to your serverless function.

If you run into a snag or have a question, reach out at support@dotenv.org.

Updated Saturday (Nov 26)