Home/Docs/Environment Variables

Environment variables

Provider authentication is resolved from the environment.

TurboCI looks at the provider declared in the deployment config, then loads the matching credential variables automatically.

4 providers

supported across Hetzner, AWS, GCP, and Azure

0 manual wiring

TurboCI maps the provider name to the right variables for you

provider-resolution

yaml

# In config.yaml
provider: hetzner

# TurboCI automatically looks for:
# TURBOCI_HETZNER_API_KEY

Supported providers

The environment variables TurboCI expects

Hetzner

env

bash

TURBOCI_HETZNER_API_KEY=your_api_key_here

Generate the token from Hetzner Cloud Console -> Project -> Security -> API Tokens.

AWS

env

bash

TURBOCI_AWS_ACCESS_KEY=your_access_key_id
TURBOCI_AWS_SECRET_ACCESS_KEY=your_secret_access_key

GCP

env

bash

TURBOCI_GCP_PROJECT_ID=your_project_id
TURBOCI_GCP_SERVICE_ACCOUNT_EMAIL=your_service_account@project.iam.gserviceaccount.com
TURBOCI_GCP_SERVICE_ACCOUNT_PRIVATE_KEY=your_private_key

Azure

env

bash

TURBOCI_AZURE_API_KEY=your_api_key_here

Optional variable

Override the working directory TurboCI uses

By default TurboCI expects a `.turboci` directory in the current working directory. You can redirect that with an explicit path.

TURBOCI_DIR

Use a custom path when the deployment metadata should live outside the current project root.

custom-dir

bash

TURBOCI_DIR=/path/to/custom/turboci/dir

Setup patterns

Three ways to provide the credentials

.env file

Recommended for local operator workflows

Place the provider credentials beside your project and let TurboCI load them automatically from the working directory.

setup

bash

# .env
TURBOCI_HETZNER_API_KEY=hetzner_key_here
TURBOCI_AWS_ACCESS_KEY=your_key
TURBOCI_AWS_SECRET_ACCESS_KEY=your_key

System environment

Use when the credentials should be globally available

Export the values into the shell or operating system environment so any directory can run TurboCI.

setup

bash

# Linux / macOS
export TURBOCI_HETZNER_API_KEY=your_api_key_here

# Windows (PowerShell)
$env:TURBOCI_HETZNER_API_KEY="your_api_key_here"

# Windows (CMD)
set TURBOCI_HETZNER_API_KEY=your_api_key_here

Inline

Useful for one-off commands in CI or local testing

Set the variable directly on the command invocation when you do not want it persisted in the shell session.

setup

bash

TURBOCI_HETZNER_API_KEY=your_key turboci up

Multi-cloud example

TurboCI selects credentials per deployment

When multiple providers appear in the same config file, each deployment resolves against its own provider-specific environment variables.

multi-cloud

yaml

# .env
TURBOCI_HETZNER_API_KEY=hetzner_key
TURBOCI_AWS_ACCESS_KEY=your_key
TURBOCI_AWS_SECRET_ACCESS_KEY=your_key

# config.yaml
- deployment_name: web_hetzner
  provider: hetzner
  services: [...]

- deployment_name: web_aws
  provider: aws
  services: [...]

Security note

Keep credential files out of version control

Add `.env` to your ignore rules and treat it as operator-only material.

.gitignore

bash

# .gitignore .env

The same rule applies to any other file that stores raw provider credentials.

When in doubt, start with a local .env file. It keeps the credentials scoped to the project while matching the default TurboCI operator workflow.

Next step

See how TurboCI promotes clusters safely

With provider auth configured, the next useful concept is the rollout model: how TurboCI stages, checks, and promotes clusters without downtime.

Continue to update strategy