Documentation
Advanced Topics
Environment and File Variable Substitution

Environment and file variable substitution

CloudQuery configuration .yml files support substitution of values from environment variables. This allows you to keep sensitive data (like passwords & tokens) or variable data (that you want to change without touching CloudQuery configuration) outside the configuration file and load them from environment variables at run-time.

Environment variable substitution example

Inside postgresql.yml:

kind: "destination"
spec:
  name: "postgresql"
  spec:
    connection_string: ${PG_CONNECTION_STRING}

PG_CONNECTION_STRING will be sourced from the environment and replaced with the value of ${PG_CONNECTION_STRING} before processing.

File variable substitution example

Inside postgresql.yml:

kind: "destination"
spec:
  name: "postgresql"
  spec:
    connection_string: ${file:./path/to/secret/file}

Local path ./path/to/secret/file will be read and replaced with the contents of the file before processing.

Environment variables with multi-line JSON

Multi-line JSON, such as those required by the service account key for the GCP integration, can be imported by using pipe '|' operator. The substitution should be in the next line and it should be indented by a single tab before. You don't need to escape any characters while passing the variable.

Inside gcp.yml:

kind: "source"
spec:
  name: "gcp"
  spec:
    service_account_key_json: |
      ${GCP_SERVICE_ACCOUNT_KEY_JSON}

JSON files in older versions

If the file or environment variable being substituted in contains JSON, it should be imported as-is. If you're using CloudQuery version 3.5.0 or prior, it should be imported inside single quotes and content should be escaped with newlines removed.

kind: "destination"
spec:
  name: "bigquery"
  spec:
    service_account_key_json: '${file:./path/to/secret/file.json}' # single quotes only for CLI versions 3.5.0 or prior

Time variable substitution example

CloudQuery configuration files support value substitution using both relative and fixed timestamps. Relative timestamps can be specified as now, x seconds [ago|from now], x minutes [ago|from now], x hours [ago|from now], x days [ago|from now], or until. Fixed timestamps follow the RFC3339 (e.g. 2025-03-21T08:53:19+00:00) or dateOnly formats (e.g. 2025-01-01)

Inside aws.yml:

kind: source
spec:
  # Source spec section
  name: aws
  spec:
    table_options:
      aws_cloudtrail_events:
        lookup_events:
          - start_time: ${time:5 days ago}
            end_time: ${time:now}
      aws_cloudwatch_metrics:
        - list_metrics:
            namespace: AWS/RDS
            metric_name: DatabaseConnections
          get_metric_statistics:
            - start_time: ${time:2022-01-01} # dateOnly format
              end_time: ${time:2022-04-02T15:04:05Z} # RFC3339 format

For the lookup_events option, end_time will be replaced with the current time, and start_time will be replaced with the time 5 days ago. For the get_metric_statistics option end_time and start_time will be replaced by the full RFC3339 formatted value of the fixed time.