This gist will explore how to leverage a "dotenv" ecosystem to mange application credentials.
The gist follows code in the repo https://github.com/rmrfslashbin/python-dotenv-poc.
The Twelve-Factor App concept provides numerous best-practice guidelines for applications and scipts. This gist will provide a python-based foundation, using the dotenv concept, to manage application credentials as described here: https://12factor.net/config
The pyton-dotenv project reads key-value pairs from a .env file and set them as environment variables.
This gist assumes a few items are already set up:
- A sane Pyton 3.8+ environment.
- A functional package management system such as pip, pipenv, or Poetry.
- Some credentials to store, such as Twitter or Spotify API keys.
First, install the python-dotenv package:
% pipenv install python-dotenv
Installing python-dotenv...
Adding python-dotenv to Pipfile's [packages]...
β Installation Succeeded
Pipfile.lock (16c839) out of date, updating to (89b591)...
Locking [dev-packages] dependencies...
Locking [packages] dependencies...
Building requirements...
Resolving dependencies...
β Success!
Updated Pipfile.lock (89b591)!
Installing dependencies from Pipfile.lock (89b591)...
π ββββββββββββββββββββββββββββββββ 0/0 β 00:00:00
Next, set up a "dotenv" file and add the secrets.
# .env
# This file contains Spotify application config data
# Lines starting with '#' are remarks.
client_id=xxxxyyyyzzzz1234567890123abcdefg
client_secret=vvvvrrrrzzzz1234567890123abcdefg
callback_uri=http://localhost:8080/auth/spotify
A simple Python script demonstrates how to load and use the secrets.
#!/usr/bin/env python
# Import modules.
from dotenv import load_dotenv
from os import getenv
# Load configs from .env file into the envionment.
load_dotenv()
# Bind envionment variables into the script.
clientId = getenv("client_id")
clientSecret = getenv("client_secret")
callbackURI = getenv("callback_uri")
# Print the configs.
print(f"Client ID: {clientId}")
print(f"Client Secret: {clientSecret}")
print(f"Callback URI: {callbackURI}")
Then run the script.
% ./pycreds
Client ID: xxxxyyyyzzzz1234567890123abcdefg
Client Secret: vvvvrrrrzzzz1234567890123abcdefg
Callback URI: http://localhost:8080/auth/spotify
Application secrets shuould never be stored in a git repo. A simple strategy can be used to protect your secrets.
Initialize the git repo.
% git init
Initialized empty Git repository in /home/user/pycreds/.git/
Create a .gitignore file
# Ignore/exclude .env
.env
Add your code to the new git repo.
% git add .
% git status
On branch main
No commits yet
Changes to be committed:
(use "git rm --cached <file>..." to unstage)
new file: .gitignore
new file: Pipfile
new file: Pipfile.lock
new file: pycreds
% git commit -m "Initial commit"
[main (root-commit) 2a2fdb0] Initial commit
4 files changed, 52 insertions(+)
create mode 100644 .gitignore
create mode 100644 Pipfile
create mode 100644 Pipfile.lock
create mode 100755 pycreds
Note that .env is not included. You have commited the code, but excluded your secrets.
Because your secrets are not saved in the git repo, they should be stored in a safe place, such as a password manager, parameter store, or other safe place.
When sharing your git repo with friends, it's helpful to provide a distribution file to show how to use and setup the .env file.
# env.DIST
# This file contains Spotify application config data
# Lines starting with '#' are remarks.
#
# Rename this file to .env and fill in the blanks below.
client_id=
client_secret=
callback_uri=
Next, commit env.DIST to your repo.
% git add env.DIST
% git commit -m "Adding env.DIST"
[main cd72901] Adding env.DIST
1 file changed, 9 insertions(+)
create mode 100644 env.DIST
A good repo always has a README.md and a license. The MIT License is a good choice.
% git add LICENSE README.md
% git commit -m "Adding LICENSE and README.md"
[main 5203d49] Adding LICENSE and README.md
2 files changed, 40 insertions(+)
create mode 100644 LICENSE
create mode 100644 README.md