Best Practices Python - Where to store API KEYS/TOKENS

Asked 11/7, 2019 at 18:30 Answered 25/2 at 5:19

I am building a system that uses API tokens and keys to access services, but where is the best place to store them? I want to push the code to GitHub without pushing the tokens.

Currently, I've placed them in a blank file named Constants.py and, in the main python file, I import Constants.py.

API_KEY_SERVICE = "ABC123ABC"

Main.py:

import Constants
service_key = Constants.API_KEY_SENDGRID

Merrile answered 11/7, 2019 at 18:30 Comment(3)

One option is read these constants from environment variables. That way you won't have any secrets in your source code. – Icicle 11/7, 2019 at 18:32

As a first shot you should add the file to .gitignore to prevent accidental commits and pushes. – Brachiate 11/7, 2019 at 18:32

Another is using a yaml file and adding the .yaml to .gitignore. – Joceline 11/7, 2019 at 18:33

What you are attempting is the correct way to segregate sensitive information from code. You should include the constants.py in your .gitignore file which will prevent git from tracking that file and thus not pushing it to github.

For .gitignore, refer: https://git-scm.com/docs/gitignore

Dossier answered 11/7, 2019 at 18:35 Comment(0)

There are a few options:

Store it locally as you have and, as Sebastin Santy noted, add constants.py to your .gitignore file.
Store it as an environment variable if you're using a conda virtual environment. Virtual environments aren't stored; the requirements for creating one are in the requirements.txt file. You can find more on the steps from the conda documetation
Use the OS module
If you have more than one set of environment variables, you might consider using decouple
If you're using AWS, you'll want to store the (what would be third party) keys in their own area with its own IAM. There are two ways recommended by AWS.

a. IAM roles
b. Store Secrets using Parameter Store
c. Store Secrets using Secrets Manager - Current method recommended by AWS

Judicative answered 6/7, 2021 at 3:5 Comment(2)

I like that you included AWS in your answer but im curious why you didnt mention AWS Secrets Manager? – Osmo 25/11, 2021 at 20:17

@Osmo - No, you're right. That was an oversight. Thanks for pointing it out. – Judicative 31/8, 2022 at 17:18

There are some good answers here. To add to them, I think we can also use the keyring module, which will read the credentials from Windows credentials or Mac OS keychain. But I would love to hear the thoughts of the community. Thanks.

here's the link to that - https://pypi.org/project/keyring/

Whaleback answered 13/9, 2022 at 1:13 Comment(0)

Please allow me to add more to the environment variables approach, which is not limited to conda virtual environment. One can use a .env file, and place it in the root directory of your project. Meanwhile, you should include .env in the .gitignore file.

What makes this approach different compared to using constants.py, especially for those who do not subscribe a Key Management Service?

Best practices for api key safety, BY OPENAI. As they suggested, use environment variables in place of your API key.
There are a lot of tutorials, such as How to set environment variables in PyCharm.
The .env file is supported by PyCharm, as in Edit Configurations.
Third-party plugin support, such as EnvFile.
Python module available, dotenv.

Flier answered 25/2 at 5:19 Comment(0)

Recommended topics

Hot tags