Best Practices Python – Where to store API KEYS/TOKENS
Question:
I am building a system that uses API tokens and keys to access services, but where is the best place to store them? I want to push the code to GitHub without pushing the tokens.
Currently, I’ve placed them in a blank file named Constants.py and, in the main python file, I import Constants.py.
API_KEY_SERVICE = "ABC123ABC"
Main.py:
import Constants
service_key = Constants.API_KEY_SENDGRID
Answers:
What you are attempting is the correct way to segregate sensitive information from code. You should include the constants.py in your .gitignore file which will prevent git from tracking that file and thus not pushing it to github.
For .gitignore, refer: https://git-scm.com/docs/gitignore
There are a few options:
-
Store it locally as you have and, as Sebastin Santy noted, add constants.py to your .gitignore file.
-
Store it as an environment variable if you’re using a conda virtual environment. Virtual environments aren’t stored; the requirements for creating one are in the requirements.txt file. You can find more on the steps from the conda documetation
-
Use the OS module
-
If you have more than one set of environment variables, you might consider using decouple
-
If you’re using AWS, you’ll want to store the (what would be third party) keys in their own area with its own IAM. There are two ways recommended by AWS.
- a. IAM roles
- b. Store Secrets using Parameter Store
- c. Store Secrets using Secrets Manager – Current method recommended by AWS
There are some good answers here. To add to them, I think we can also use the keyring module, which will read the credentials from Windows credentials or Mac OS keychain.
But I would love to hear the thoughts of the community. Thanks.
here’s the link to that – https://pypi.org/project/keyring/
I am building a system that uses API tokens and keys to access services, but where is the best place to store them? I want to push the code to GitHub without pushing the tokens.
Currently, I’ve placed them in a blank file named Constants.py and, in the main python file, I import Constants.py.
API_KEY_SERVICE = "ABC123ABC"
Main.py:
import Constants
service_key = Constants.API_KEY_SENDGRID
What you are attempting is the correct way to segregate sensitive information from code. You should include the constants.py in your .gitignore file which will prevent git from tracking that file and thus not pushing it to github.
For .gitignore, refer: https://git-scm.com/docs/gitignore
There are a few options:
-
Store it locally as you have and, as Sebastin Santy noted, add constants.py to your .gitignore file.
-
Store it as an environment variable if you’re using a conda virtual environment. Virtual environments aren’t stored; the requirements for creating one are in the requirements.txt file. You can find more on the steps from the conda documetation
-
Use the OS module
-
If you have more than one set of environment variables, you might consider using decouple
-
If you’re using AWS, you’ll want to store the (what would be third party) keys in their own area with its own IAM. There are two ways recommended by AWS.
- a. IAM roles
- b. Store Secrets using Parameter Store
- c. Store Secrets using Secrets Manager – Current method recommended by AWS
There are some good answers here. To add to them, I think we can also use the keyring module, which will read the credentials from Windows credentials or Mac OS keychain.
But I would love to hear the thoughts of the community. Thanks.
here’s the link to that – https://pypi.org/project/keyring/