I have a python app that makes a call to a web API to collect some data, processes the data displays it on a front end. Unfortunately, the credentials that are needed to access the API also give access to a bunch of sensitive information.
Therefore, I was wondering if there was any way to connect to the API in a way that doesn't let people with access to the python code reconstruct the credentials. I have found some posts about encrypting the data outside the app and decrypting it inside the app, but it seems to me that this would require revealing the decryption method in the python code, which would mean that everyone could simply reconstruct it.
By using .env file with e.g. python-dotenv library.
mycode.py file:
from dotenv import load_dotenv
load_dotenv()
my_var=os.getenv("MYHIDDEN_VAR")
.env file:
MYHIDDEN_VAR='REAL VALUE'
.env.example file:
MYHIDDEN_VAR='OBSCURED VALUE'
Related
I'm developing a Telegram Bot which will make HTTP request to an external API which requires an API key.
Is there a special place wherein secrets like this should be kept in Telegram Bots? The one that Telegram API or SDK may provide?
Or is it normal to store them in the source code hardcoded?
Do not store them in the source code, if you send that code to somebody later, you might forget to remove the key.
Instead, put it in a .env file, and load it into memory using os.environ.
How the contents of .env could look like:
API_KEY=SECRET_HERE123
from dotenv import load_dotenv
import os
load_dotenv()
print(os.environ["API_KEY"])
I've been using PyDrive for Google Drive automation and it works perfectly locally. I plan to move the code to a remote shared machine, which would mean I'll need to move the secrets too. I am using LoadCredentialsFile and passing in credentials.json. I don't however think my issue is based on my own code, and rather the PyDrive code.
In short: I want to trigger a function in the PyDrive module where it would usually fetch the client_secret and client_id from the credentials.json file. And this function will fetch the client_secret and client_id from vault instead. With this, I could then delete client_id and client_secret from credentials.json (for security reasons on the shared machine) and just fetch them and store in memory them when the python script executes.
The problem I am having is this. I can delete the client_secret and client_id from the credentials.json file and hard code them under the PyDrive client.py class OAuth2Credentials(Credentials), under function from_json(), where it seems to be fetching the secrets from the json file. So instead of this inside that function:
data['access_token'],
data['client_id'],
data['client_secret'],
data['refresh_token'],
I could instead do this (i have tried this and it works):
data['access_token'],
"myhardcodedclient_id.apps.googleusercontent.com",
"myhardcodedclient_secret",
data['refresh_token'],
And then I could (haven't tried it yet) replace those hard coded values with functions to fetch the secrets from vault (hashicorp vault). Example:
data['access_token'],
get_client_id(),
get_client_secret(),
data['refresh_token'],
The problem, however, is that when the script runs, it does use the hardcoded values, but it also overwrites the existing credentials.json file (with no secrets - because I manually deleted them) and inserts the hardcoded values into that json file, which then ruins the whole idea behind using vault (not wanting to expose client secret/id to other users on the remote machine.)
Am I over complicating this? I would post the PyDrive code but there is 5000+ lines in the client.py file alone so I'm sure it would be spam and this isn't an issue with my own script (as that works perfectly as expected). If anyone has had experience doing something similar, please help! Thank you!
Recently I've made a twitter-bot using tweepy for my own need. Now to host it online 24x7, I first tried Heroku (couldn't add the credit/debit card), then pythonanywhere.com (I don't know why the console was shutting down after a day), then repl.it (the API keys were returning None from the .env file - though in my system it was running fine) and finally WayScript.com.
Now, here I encountered a new file type saying .secrets. I used .env for storing all the keys, but they were asking to save those credentials in the .secrets file. They also provide the .env file type. But it says that it is preferable to add those credentials in the .secrets file as they will be saved as an encrypted string in that case. Here is the screen view -
Now, if I use .env file, I can easily import the credentials using the code below -
import os
Secret_Key = os.environ['key']
But if I use a .secret file, then how the credentials will be called?
I appreciate any help you can provide.
You should use ws.environment to read values stored inside .secrets file. If you need to retrieve your API key you can do that as follow.
api_key = ws.environment['API_KEY']
I am creating a Python script which reads a spreadsheet and issues Rest requests to an external service. A token must be obtained to issue requests to the Rest service, so the script needs a username and password to obtain the oauth2 token.
What's the best or standard way to hide or not have visible information in the Python script?
I recommend using a config file. Let's create a config file and name it config.cfg. The file structure should look more or less like this:
[whatever]
key=qwerertyertywert2345
secret=sadfgwertgrtujdfgh
Then in python you can load it this way:
from configparser import ConfigParser
config = ConfigParser()
config.read('config.cfg')
my_key = config['whatever']['key']
my_secret = config['whatever']['secret']
In general, the most standard way to handle secrets in Python is by putting them in runtime configuration.
You can do that by reading explicitly from external files or using os.getenv to read from environment variables.
Another way is to use a tool like python-decouple, which lets you use the environment (variables), a .env file, and an .ini file in a cascade, so that developers and operations can control the environment in local, dev, and production systems.
I am building simple app which is using Twitter API. What I have to do to hide my Twitter app keys? For example, if I will put my program to the internet and somebody who look up to the code will know my consumer key, access token etc. And if I not include this information into my program, that it won't be work!
I'm assuming by putting on the internet you mean publishing your code on github or such.
In that case you should always separate code and configuration. Put your API keys in an .ini file, i.e. config.ini, then load that file from python program using configparser
Add configuration file to your .gitignore so it would not get added to the source control.
Assuming you're running on a Unix like system, one way to handle this is environment variables.
In your shell you can do this:
export TWITTER_API_KEY=yoursecretapikey
Note that you don't use quotes of any kind for this.
Then in your script:
import os
twitter_key = os.environ.get('TWITTER_API_KEY')