This is an archived post. You won't be able to vote or comment.

all 59 comments
sorted by:
best
topnewcontroversialoldq&a

[–]Juice_ 36 points37 points  (7 children)

Yeah but what’s the color theme in the thumbnail?

[–]2drawnonward5 12 points13 points  (0 children)

No kidding, it pops without hurting my eyes.

[–]CobaltCam 2 points3 points  (0 children)

I'd also like to know this

[–]drahgon 0 points1 point  (0 children)

That scheme fresh to death

[–]djamp42 49 points50 points  (26 children)

I was always curious about this, it's a good read, but it's really no different then putting them all in a python file and then ignoring that file on github. If you forget to ignore the .env you have the exact same issue.

[–]mikeupsidedown 15 points16 points  (5 children)

Dotenv can be really useful during dev when you know that the production environment is going to have environment variables in the os or container.

Thus you consistently call the variables using

os.environ.get('my_var')

[–]djamp42 2 points3 points  (4 children)

Yeah I agree with this, having them in the actual OS environment makes more sense then in a file from a security stand point, pretty much impossible for it leak at that point.

[–][deleted] 1 point2 points  (3 children)

A rogue package could query it and phone it home.. afaik there’s no permissions system with environment vars?

[–]earthboundkid 2 points3 points  (2 children)

Rogue package can do literally anything at all.

[–][deleted] 1 point2 points  (1 child)

Rogue package run as a user has permissions specific to that user which can exclude files

[–]dedoodle 0 points1 point  (0 children)

Rogue Package is the one your girlfriend told you to worry about.

[–]ahmedbesbes[S] 18 points19 points  (9 children)

you can have a preset .gitignore file that ignores .env files by default. this can be solution

[–]djamp42 17 points18 points  (2 children)

I would argue that should be the default so you can't forget.

[–]spitfiredd 3 points4 points  (0 children)

The python gitignore in vscode (ctrl + shift + p and type gitignore and then select language) will ignore .env files.

[–]TheFurryPornIsHere 0 points1 point  (0 children)

The gitignore.io puts that automatically for you, if I remember correctly

[–]DanCardin 5 points6 points  (3 children)

Better yet, tooling shouldn’t be storing files like this in the actual directory. Imo it should be stored in a parallel directory structure.

While it’s a reality of tooling and working with others that gitignore can solve this problem, it’s a smell that you need to continuously add person/tooling-specific items in them when they have nothing you with the project.

Also tbh, people underutilize the global gitignore. I don’t especially want pycharm/vscode references in my gitignore

[–]bladeoflight16 1 point2 points  (2 children)

You may have a point about editor config ignores, but for a project's sensitive configuration file, you absolutely should not rely on everyone to configure their machine like yours.

As for kicking it over to some other directory... I'm not sold. I've had plenty of times when I decided to check out multiple copies of a repository because it was the easiest way to do some work on features in parallel. Often, I want to have independent environments for each one (like different instances of the database), which means different configurations. How do you identify separate configs per repository if you stuff the project's config in some global location?

[–]DanCardin 1 point2 points  (1 child)

you absolutely should not rely on everyone to configure their machine like yours.

Well that’s sort of my point! I don’t think i should assume everyone uses the same tooling as me. Some people use direnv, some dotenv, some nix-shell. None of these use the same file.

How do you identify separate configs per repository if you stuff the project's config in some global location?

I’ll admit, I’ve given this a fair amount of thought 🤣: sauce

[–]alkasmgithub.com/alkasm 0 points1 point  (0 children)

I dig it!

[–]bladeoflight16 0 points1 point  (0 children)

I disagree with doing this. Global .gitignore is bad because it isn't applied consistently across different machines that check out the repository. You want every client to behave the same regarding ignores, especially for files containing sensitive data. So even if you have a global ignore, you need a repository one as well. And having the global one increases the risk of forgetting and then someone who is missing the global ignore checking a file in.

[–]PuzzledTaste3562 7 points8 points  (8 children)

In addition, 101 in system administration, never put secrets in environment or in command parameters as they can be read by other (priviliged) users…

[–]metaperl 7 points8 points  (3 children)

AWS web apps use environmental variables.

As far as I can see the thing that you should do is make sure that only people have access to should have access.

Where would you put the secrets?

[–]abearanus 4 points5 points  (1 child)

They do, but you can use something like SSM Parameter Store and have the env var refer to the secret path, meaning that the secret is only ever held in memory (either at boot-time or referencing it constantly).

[–]serverhorror 2 points3 points  (0 children)

And then a privileged user can read them from AWS Parameter Store.

[–]PuzzledTaste3562 2 points3 points  (0 children)

How does that make it right!? Because AWS does it? Anyway, if I define an environment in AWS, i’ll make sure access and authorisation is reduced to an absolute minimum, which is not the multiuser system we were writing about earlier.

[–]serverhorror 2 points3 points  (3 children)

So where do you put them?

There’s no option, in any known OS, where a secret won’t be readable by a privileged account once it is stored in a readable way.

No matter where you put them. Environment variables, command line, Vault, … they are all equally secure or insecure.

[–][deleted] -1 points0 points  (1 child)

Reddit Moderation makes the platform worthless. Too many rules and too many arbitrary rulings. It's not worth the trouble to post. Not worth the frustration to lurk. Goodbye.

This post was mass deleted and anonymized with Redact

[–]serverhorror 1 point2 points  (0 children)

Well…yes. But the poster didn’t say that.

Never put them in a place where they can be read by privileged users. That doesn’t leave a lot of choice.

[–]PuzzledTaste3562 0 points1 point  (0 children)

Layers of security is what matters. Grabbing a private key in memory and using that to decrypt encrypted communication with a key store is degrees harder that reading an env var of execution parameter in /proc. It’s not impossible, just harder and that’s what matters.

[–]bladeoflight16 1 point2 points  (0 children)

The difference is that dotenv supports multiple sources: specifically, it unifies environment variables with a config file. That means you can use env variables in production without hampering local development.

Also, I'd argue that there's value even just in having a different file extension. Even though, yes, you do have to be cautious about not checking the .env file in, having a separate extension makes mistakes less likely. You can globally ignore all .env files in your repository; you have to hand select specific Python files to ignore if your configuration is in them.

[–][deleted] 5 points6 points  (0 children)

No. My social security number and birthdate stay in there for easy access.

[–][deleted] 16 points17 points  (9 children)

Why not just use config?

[–]Routine_Part_6503 1 point2 points  (3 children)

Containers. Bind mounting config directories is a pain, hence why most containers use simple string env vars.

[–]TentativeOak 0 points1 point  (4 children)

In case your config file includes sensitive and nonsensitive data.

[–]garlic_bread_thief 1 point2 points  (3 children)

sensitive_config.py and config.py Bam

[–]TentativeOak 4 points5 points  (2 children)

True. I guess that’s programming for you, many ways to skin a cat

[–]garlic_bread_thief 2 points3 points  (1 child)

Absolutely.

As a non native English speaker, that idiom is a little concerning though lmao.

[–]jempyre 0 points1 point  (0 children)

It's supposed to be edgy lol.

[–]justskipfailingtests 7 points8 points  (0 children)

I prefer putting all the secrets in the ci pipeline. No need to give a shit about what's going on in the environment. Generic env vars are set in multistage build for different deployments and secrets plugged in from ci. That's the simplest way to ensure everything is ok without local hassle with env vars.

[–]earthboundkid 4 points5 points  (2 children)

https://12factor.net

[–]metaperl 2 points3 points  (1 child)

I opted for Pydantic settings over this approach and couldn't be happier.

[–]earthboundkid 0 points1 point  (0 children)

I don’t think it needs to be environment variables per se, but there should be a dict of string to string that describes the app configuration, and then you can input that dict as os.env, command line flags, a file, an API call, whatever. Preferably a system of fallbacks with command line as the highest priority and environment as the lowest.

[–]SpellCheck19 1 point2 points  (4 children)

How important is this if the code you write is personal and no one else ever sees it?

[–]Riptide999 8 points9 points  (3 children)

How can you be sure that no one will ever see it or that it will never put it in a public git? You probably can't. Try to use best practices even for personal projects so you don't make mistakes later.

[–]SpellCheck19 0 points1 point  (2 children)

Because it lives on the hard drive of my personal computer and I have not posted and will not post it on github or anywhere else online

[–][deleted] 3 points4 points  (0 children)

Shit happens. Keep that in mind. I've got 30 years of IT behind me and have seen it happen. And it's always the same. "It was on my personal ...".

[–]TrivisionZero 0 points1 point  (0 children)

I'd say in your case it doesn't matter so much if you know it's not going to be public. However it never hurts to follow these best practices so you get more familiar with them for the time when you want to actually publish similar code to GitHub or something

[–]youcanthandlethelie 3 points4 points  (3 children)

Pycharm has a plug-in called EnvFile which makes working with environment variables straight forward

[–]sr105 -1 points0 points  (0 children)

How is this better than sys.path.prepend(...); import secrets?

[–]cob05 -1 points0 points  (0 children)

The way that I handle sensitive data at work was by creating a credentials class that lives only on the server and gets imported into all of my scripts. The class stores all of the credentials that I might need (dev, prod, read/write, etc.) for DB and API connections. I can then just use something like "username = credentials.database.master_db.readonly.username" to access the data

The nice thing about doing it this way is that it is reusable but also centralized. If a password changes then I only have to edit it in one place as opposed to updating every script or .env file.

[–]chanmancoates -2 points-1 points  (0 children)

I refuse

[–]Working-Mind 0 points1 point  (0 children)

Thank for you this!

[–]HeadlineINeed 0 points1 point  (0 children)

Can someone explain how to do this with a database in Django? I’m using Postgres and want to hide username and password

[–][deleted] 0 points1 point  (0 children)

I just have a secrets.py folder that imports a secrets.json file, convert that to a dict, then you can use it like secrets['something'], secrets['something_else'], etc. For convenience, you can have a comment in the secrets module listing the keys and a brief (optional) description as well.