Thursday, January 30, 2020

Re: How to best secure environment variables (secret key, passwords etc.) stored in .yml files?

Hi,

Just fyi, it was, in part, to solve this problem that I implemented the django-yamlconf module:


While getting the data into either a private yaml file or env variable in the container isn't addressed, it does allow injecting the values into the Django app without modifying the committed sources.

Take care,
Michael.

On Thu, Jan 30, 2020 at 6:46 AM Chris Wedgwood <wedgemail@gmail.com> wrote:
Hi Tom

You are definitely not overthinking this. it's important.

This is an area that has baked my noodle for a while now and I always am left wondering "Do I have this right?" "Am I vulnerable to attack?" ..... and I still haven't figured it out completely. It's like static files  I never really feeel like I get it entirely :)

Firstly you should never need to store a password/token/secret in Source Control ever. If you are stop and think there must be a better way.

I use environment variables .env to store my secrets but the trick is ALWAYS put that in your .gitignore  file. If you start a new git repository there is an option to create a .gitignore file 
for Python that is a great starting point.

To complement my .env file it has a .env.example file that I DO put in source control with a dummy password.

.env file:

MAILGUN_API_KEY =asjdhasds78dy9s8dy012287e210eu209e72

.env.example:

MAILGUN_API_KEY=ThisIsNotARealToken

So when I do local development  I can populate my .env fie with local dev secrets.

For production deployments, I use Ansible for which I provide production tokens and secrets in a separate file also not in source control.

The Ansible deployment requires an ssh password that I store in a Password Manager that has two-factor authentication.

The docker-compose file can read environment variables from the .env file.

Have a look at Django-Cookiecutter and see how they do it. That helped me a lot when I started out

cheers
Chris











On Thursday, 30 January 2020 12:41:01 UTC, Tom Moore wrote:
Hi there, I'm following the guidelines by making sure the environment variables are stored outside of the settings.py files.

The project is "dockerised" and so the environment variables have been stored in files docker-compose.yml and docker-compose-prod.yml.

This includes things like the project's secret key, API keys, and database passwords.

My question is: 
• Just because environment variables are stored in .yml files, won't they be equally insecure the moment I commit the project folder to a git repo (and especially if I push that repo to GitHub)?
e.g. the Secret Key will forevermore be stored in the git repo (in earlier versions, even if I later move it to another file in subsequent commits).

Is there an even more secure way of storing environment variables? Or am I overthinking it (as I'm the only developer and the GitHub repo is set to Private)?

Many thanks in advance for your help.

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/55f28dec-7c9a-4cae-b658-f89772aa1bd7%40googlegroups.com.


--
Michael Rohan
mrohan@acm.org

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAOCsNFhLqucCRWb%3DbsneUdKVuWkNqQR%3DKL_P3zVXAAthzDxAPw%40mail.gmail.com.

No comments:

Post a Comment