5 Tips to Safely Use Credentials in Your Python Project

👷 Join the FREE Code Diagnosis Workshop to help you review code more effectively using my 3-Factor Diagnosis Framework: www.arjancodes.com/diagnosis

Great tips, thanks! For item 4. "Don't share credentials in plain text". If you're developing for AWS, then AWS Secrets Manager is a good choice.

Pro Tip: Use a secrets manager, like 1 password CLI that can dynamically embed your secrets from your vault into the env. It also allows you to share the secrets securely with team, and rotate them centrally.

arjan out here fleeced out new hoodie i gotta step it up

Instead of using the dotenv package I rather like using direnv configured with `load_dotenv = true`. That way the project becomes agnostic of any particular package populating environment variables from `.env`. The project receives all the variables the same way, but without having to import anything extra. This technique works for any project in any language, even though for a specific language there is no dotenv package provided.

Hey Arjan, thank you for your work from Spain. Would be great if you create a video with your top python books "to improve your python skills to another level", thank you!

Thanks a lot! Nice tips, everybody should do so.

The 'keyring' library is also very handy to store credentials using the OS's built-in credential manager in a structured way.

What if I'm making executables with pyinstaller?

A few collegues of mine discussed using a centralized service to store credetials for multiple software projects. Ideally including monitoring for any credetials that involve external API-services. Any suggestions?

Despite the hints are appliable to any repository you can use, that's one of the reasons why I (and my teams) use our self-hosted Gitea servers for private projects (and similar ones for job's). Gitea is practically identical to github as far as I use it. I think that github is only for public sharing tested, non private and/or thoroughfully reviewed things.

You can also use tools like 'git filter-branch' and 'git filter-repo' (recommended) to remove any secrets from your git history. The downside is that you have to force push afterwards since you're changing the history.

Several companies that I have worked at use Vault as the de facto way of sharing credentials with services running in production. I would say this is probably more secure than all of the ways described in this video.

Nuttige tips!!

Second 😂 ! Thanks man for your amazing content. From a teacher, you are a good example of someone who knows the art of teaching. Good luck

If server is hacked, attacker can dump environment variables. How to defend against this ?

I think that the people who are likely to commit private key files are also the same kind of people who would create a .env file and not add a gitignore rule for it.

impossible to get any variable, still fighting on this crap since three days and it systematically returns me none

First ❤

this weird convention of making env definitions hidden drives me crazy. I have no idea where it comes from, to me it's completely illogical

Do you plan on using another VSCode theme ?
The default one is pretty lame if you ask me, it does not have enough colors to differentiate the different types of words in a Python script.
I suggest you to use Atom Dark Pro, as it’s close enough to the original theme, but with way more colors for the scripts.
I can understand that you don’t want beginners to be disturbed, but I think that past a certain point, everyone has a custom theme, and it might not be a good idea to accustom beginners to the bad default theme

os.environ[key]/os.environ.get() is faster than os.getenv() and is also a good practice, because it lowers the chances of people thinking they should in turn use the (broken) os.setenv() when they need to set environment variables.