Control secrets in the application¶
Overview¶
Controlling secrets in the application is an essential part of application development.
The secrets can be:
-
Connection string to critical databases: profiles, trades, risk rules,...
-
A API key for external services that PAYG methods: OpenAI LLM
-
Credentials for third-party services: Sendgrid, Mailgun
-
Private keys for encryption or signing: JWT, JWS
-
Passwords for accessing critical resources: databases, repositories
If an attacker discovers those secrets, they can use them to access sensitive data, potentially causing significant harm to the service and its users.
Following is a table methods available
Methods Available:
| Method | Pros | Cons |
|---|---|---|
| (a) Using .env file | Easy to implement | Secrets can be leaked through version control |
| (b) Using ini file | Secrets are stored in a separate file, more organized | Secrets can be leaked through version control |
| © From environment variables | Environment variables are set outside of the Python code | Secrets can be leaked through the command line |
| (d) From secret manager | Inbuilt secrets manager provided by cloud providers | Additional cost |
Detail¶
From a file¶
Using an .env file
The .env file is a file used to store environment variables in Python. Environment variables are variables set outside of the Python code and are used to configure the Python code. The .env file is typically used to store secret keys and passwords.
Required to write when you have the the examples
Using ini file¶
# The example of INI file for project
# ----
#
# Description:
# The file contain the credentials for project
#
# Terms:
# + DSN: Data Source Name
#
# Notes:
# a) Delete comment after finish intergrate configuration
# b) For the credentials, please contact to maintainer.
[DEPLOYMENT]
# Based on the maintainer.
ENV=Dev # The environment of project, must be one of "production", "dev"
ENV=Dev # The environment of project, must be one of "production", "dev"
[PYTHON]
EXECUTABLE_PATH=python3 # Required Python version greater or equal to 3.9.*
[CLOUD_SQL]
CONNECTION_NAME= # Synponis: project_id:region:instance_name, without string quote by `"`
DRIVER= # Synponis `pymysql` for MySQL, `pg8000` for Postgres
USER_NAME= # User
USER_PASSWORD= # [Deprecated] Using $(gcloud sql generate-login-token --instance=$INSTANCE_NAME)
DATABASE_NAME= # Target database to connect
[BUCKET]
STORAGE_NAME= # The bucket name GCS for the project
[SLACK]
# The Bot Token
BOT_TOKEN_SECRET=
# The Channel of logs for project
# E.g: C092S5VCF34
LOG_CHANNEL_NAME=
[GCP]
# The project id of basement in GCP resources.
PROJECT_ID=
# For developer, contact maintainer for this SA of project
SA_PROJECT_EMAIL= # Something like `*@<PROJECT_ID>.iam.gserviceaccount.com`
# Currently using this for deployment,
# a) For Dev:
# using cmd with `echo %APPDATA%\gcloud\application_default_credentials.json`
# With IAM:
# `$ gcloud auth application-default login`
# b) for Deployment:
# using path config for service account declare above.
# With Service Account
# $ gcloud auth activate-service-account $ACCOUNT --key-file=$GCP_SA_CREDENTIALS_PATH
# Ref: https://cloud.google.com/sdk/gcloud/reference/auth/activate-service-account
SA_CREDENTIALS_PATH= # Something like "./.gcloud/*.json"
PUBSUB_TOPIC_METADATA= # Topic Metadata to BigQuery
[SENDGRID]
# API Key to send email by Sendgrid
# Can get from Secret Manager: SENDGRID_RUNNER_EMAIL_SERVICE
# Sample: SG.o1p2kasdkvs2-Rlkvs26a.VP-QKRASDn23h123vh2323QyH4J40wA_kjDndNjGr90
API_KEY=