Problem:
I have a passwords.py that I need to push to Heroku for my app to work, but I cant commit it to my public git repo because then anyone would be able to view my passwords.
The passwords are tokens / secert_key's / other_api_keys to allow my app to authenticate its requests to 3rd party apis. I'm storing them in base64 encoding in the passwords.py, but if I push it to git encoded anyone would easily be able to see the passwords with b64decode().
How can I push my passwords file to Heroku with out including it in my public git repo?
or
How can I securely store my passwords in my public git repo?
What I've tried:
git push only one file to Heroku
Hiding a password in a python script (insecure obfuscation only)
Git pushing single file doesnt seem to be an option. While using any similar method to encode/decode the passwords would only give me a false sense of security. Any ideas on how to solve it? Thanks!
Use environment variables! You can access them from your python scripts, and heroku lets you easily set them for your app.
Here is some information about setting config vars in heroku.
Create a second branch containing the file. Do not track it on your public repository.
Whenever you need to push to heroku, rebase that branch to master and then push that branch to Heroku.
Related
I have one application on Heroku that will use Tweepy to access Tweet data. Usually, what I do is to git push to the github and since Heroku is linked with it, the app will be automatically updated. It will be stupid to push the script with the token to Github. I know people usually use another py file to store the key. But when you deploy an app online, you will also need to push that py file which does not solve the problem. Do you have any suggestions?
Thank you guys.
You can use the environnements variables of Heroku
Then, in your code, your can access to this with:
MY_TOKEN = os.environ['MY_TOKEN']
I have a locally made Django website and I hosted it on Heroku, at the same time I push changes to anathor github repo. I am using built in Database to store data. Will other users be able to get the data that has been entered in the database from my repo (like user details) ?
If so how to prevent it from happening ? Solutions like adding files to .gitignore will also prevent pushing to Heroku.
No one can steal your data if you don't push sensitive information in git repo. Never push your credentials to public repository.
Use one of the below method.
- Create a separate file for credentials and add it to .gitignore file and copy it manually to the server.
- Save credentials in .env file and use python package to read information from there.
For more detail read these threads:
- https://www.reddit.com/r/learnpython/comments/264ffw/what_is_the_pythonic_way_of_storing_credentials/
- Python/Django - Avoid saving passwords in source code
The code itself wouldn't be enough to get access to the database. For that you need the db name and password, which shouldn't be in your git repo at all.
On Heroku you use environment variables - which are set automatically by the postgres add-on - along with the dj_database_url library which turns that into the relevant values in the Django DATABASES setting.
I am trying to run through the creation of a Flask web app in Azure using this instruction page.
Creating Web apps with Flask in Azure
In the "Application Overveiw" section, it lists some FlaskWebProjectfiles saying.
Here's an overview of the files you'll find in the initial Git repository
\FlaskWebProject\__init__.py
\FlaskWebProject\views.py
\FlaskWebProject\static\content\
\FlaskWebProject\static\fonts\
\FlaskWebProject\static\scripts\
\FlaskWebProject\templates\about.html
\FlaskWebProject\templates\contact.html
\FlaskWebProject\templates\index.html
\FlaskWebProject\templates\layout.html
The problem is that I don't get these files when I connect up Azure to a Github repository. I know they exist because my Azure app renders the this default Flask webapp. The files exist in /wwwroot.
I am sure that I am missing something obvious here, so if anyone has followed the most recent Flask setup instruction for Azure, and had success, their input would be great.
Your initial GitHub repository is empty, so you need to clone the repository.
The process is described in the same article you mentioned, but a little later.
Basically:
1) Go to the deployment source and configure the deployment source - for example, local github
2) Go to Settings => Properties. Here you should have Git URL where your files are placed
3) Go to your workstation, and execute
git clone https://yourdeploymentusername#todeleteflask.scm.azurewebsites.net:443/todeleteflask.git
Enter password.
You should be all set now. Now, if you make change, you may push to the repository and it will arrive on the site.
Heroku lets you externalise Django configuration, i.e. to put API IDs and secret keys into config vars, that can be later accessed as in os.environ.get('MYVAR',3)
It is shown how to do that in this tutorial.
However, is it safe to just hardcode the secret variables in the settings.py if I am using a private Git repository for my project?
It's safe as long as no one can get into your server files or Git repository, but neither of those seems wise to assume, unless you are even more worried about someone getting into your Heroku account.
I am trying to make a python script which would check for changes in my git local working folder, and automatically push them to the online repo. Currently only using git manually to do it. I want to know, what would a script require to do this without manual intervention.
The commands I'd type in my shell are:
#for checking the status, and determining if there are untracked files
git status
#if there are untracked files...add them
git add .
#add my commit message
git commit -m "7/8/2012 3:25am"
#push it to my online repo
git push origin master
#check if changes came on remote
git diff origin/master
#merge my repo with origin
git merge origin/master
When doing the git push, you'd always have to enter username/password. I know that git has a way around this which involves making ssh keys and all. But I am assuming there is some way GitPython is doing it. I mean we can pass username/password through code, or go with the former. So what are my options regarding authentication when I am using GitPython?
Edit: There are apps which actually generate the ssh keys, for e.g. github's windows application. How is the windows app doing this? My assumption is that there is surely some git api for it...
If you are authenticating using SSH keys, then use ssh-agent to load your key once and then you can keep using the key without having to provide the password all the time.
Alternatively, you could simply generate a key without a password, if you don’t care about your key security.
I have looked up the code to be sure, there is nothing that you can define a username/password combination for communication.
This has to be it because ssh does not give you the ability to provide password beforehand, it intentionally asks for user prompt. The only was is to use ssh keys for automation.
However, if you really want to bend your limits. There's open source app for non-interaction ssh communication without using ssh keys: http://sourceforge.net/projects/sshpass/
You compile & install this and direct a communication protocol like ssh:// to this app, it may work. However, I don't think that you should; just use keys, they're great =)