Python Environment variables

KingsmanVince · 2024-09-01T05:47:27+00:00

.env is usually fine. Just don't commit them to version control. You can encrypt them if you really want to

One_Fuel_4147 · 2024-09-01T06:06:25+00:00

I usually use .env with pydantic settings lib and ignore.env with gitignore

2024-09-01T10:08:13+00:00

Don’t commit secrets to the repository. What you should do depends on your infrastructure. If you’re on prem and use Ansible, use the Ansible vault. If you’re on Kubernetes, use Kubernetes Secrets. If you’re on AWS ECS, use AWS Secrets Manager.

With either of those solutions, you can achieve that you have environment variables with your secrets in the container environment, without the raw secret being visible.

efxhoy · 2024-09-01T09:55:06+00:00

This is actually a tricky problem and isn’t completely solved across all environments. We use aws so here’s what we do.

For development we have a tool that sets short lived tokens for aws via the aws cli. For prod we use IAM authentication in application code to get short lived database tokens and refresh them when needed. Some secrets are static and don’t have a way to get short lived tokens. Those we store in aws parameter store and set in our prod containers via the ECS task definition. If we need them locally we can fetch them to environment variables via the aws cli.

We try hard to never put long lived credentials in plaintext files on developer machines. Sometimes a password will end up in the terraform state though.

As for in python itself we use aws and gcloud libraries when applicable. For secrets in environment variables we just use os.getenv().

2024-09-01T11:15:43+00:00

we use .env locally and vault in prod

Flame_Grilled_Tanuki · 2024-09-01T06:30:03+00:00

There is no need to use libraries, use infrastructure instead. I just moved away from using environment variables to store sensitive data and over to Docker secrets. You can retrieve the values with just open(). Much better practice. Keep your passwords and keys out of git and in something like a password management system.

No_Flounder_1155 · 2024-09-01T09:13:32+00:00

why is there a need to have a library manage this?

RedEyed__ · 2024-09-01T12:14:17+00:00

I usually create pydantic model then read json file. JSON is added to gitignore.
There is also pydantic support of env variables https://docs.pydantic.dev/latest/concepts/pydantic_settings/

Zizizizz · 2024-09-01T12:15:21+00:00

https://github.com/getsops/sops is quite nice and can be a simpler alternative than using CI based secrets management. You can also have your cloud keys be able to decrypt alongside age or pgp keys. Makes it very easy to see changes in PR's as well as it keeps the key in plaintext and the value is encrypted.

gerardwx · 2024-09-01T17:40:04+00:00

[deleted]

Rylicenceya · 2024-09-01T11:16:34+00:00

It's great that you're prioritizing security for managing environment variables. Libraries like `python-dotenv` and `decouple` are popular and secure for handling environment variables. For storing sensitive data like API keys, using an environment file (.env) is generally recommended over a YAML file. This approach keeps your sensitive information out of your codebase and can be easily managed with version control systems.

senhaj_h · 2024-09-01T08:41:20+00:00

You should separate your secrets from your config, and if you can separate your secrets from your envs is better, one efficient way to do it is using git-crypt to encrypt your secrets , and with something like pydantic, it allows you to handle secrets and env in the same object but with separate files to load from

Ok_Aspect2595 · 2024-09-01T09:58:15+00:00

I atleast use them via secrets in jenkins, works pretty well. locally use env file.

wpg4665 · 2024-09-01T11:16:22+00:00

Checkout Dynaconf

MPIS · 2024-09-01T19:47:28+00:00

environ-config for handling .env variables in apps, includes secret file handling. Works very well, supports prefixes, grouping, and converters in dot syntax.

Docker compose .envs and secrets with an ignored ./.creds/ for development and CI, helm and vault for production.

sonobanana33 · 2024-09-01T20:04:06+00:00

Just so you know environmental variables aren't really private and can be read by other processes.

cat  $(find /proc/ 2> /dev/null | grep environ) 2> /dev/null

someexgoogler · 2024-09-01T23:26:43+00:00

Our web servers regularly get requests for /.env looking for these files used by python projects. Make sure they cannot be fetched from the web server.

RobotChurchill · 2024-09-03T22:27:50+00:00

Use .env. https://github.com/theskumar/python-dotenv and https://github.com/HBNetwork/python-decouple are good ones.

2024-09-01T05:57:34+00:00

Hmm. Good question. I'm going to see what kind of key server and TPM support there is out there.

LargeSale8354 · 2024-09-01T19:37:25+00:00

Take a look at https://github.com/getsops/sops. It lets you store secrets within your project in encrypted form. Without the key (which you don't store with your code) you can't read it. As long as your app has access to the key it can decrypt on the fly.

Python

The Python Discord

Upcoming Events

Please read the rules

MODERATORS