How to store sensitive API Keys securely in Django public workspace

workspace
django
python

#1

Hey All - I am trying to add a sensitive API key in Django and don’t want to put it in my settings.py file for all to see. Does anyone know how to create a file outside the workspace, then import that key into my settings.py file securely? I just want to make sure that I don’t put anything out there in the public space that shouldn’t be. Can someone provide the steps I would need to take, including how to import that file into settings.py using python? Thanks!


#2

Same here. Interesting if there is a robot that goes through all public c9 workspaces to harvest credentials and access info…


#3

You can place your keys in environment variables, and access them from Python. Read-only access cannot access environment variables.

@techtonik This could be the case, but I am guessing that the C9 team has some security measures against this.


#4

The only way to ensure code is safe is to run such bot yourself. =) I also found this:


#5

I figured it out.

Create a config.py in /home/secrets. This should be safe outside of the public workspace. You can set environment variables like this.

sudo mkdir secrets
sudo nano config.py

import os

os.environ["APIKey"] = "1234"
os.environ["Secret"] = "secret"

Lastly, In your main.py add environment variables like this.

    import sys
    import os

    sys.path.append(os.path.abspath("/home/secrets"))

    from config import *

    APIKey = os.environ.get('APIKey')
    Secret = os.environ.get('Secret')