Best Practices Python - Where to store API KEYS/TOKENS

Question

I am building a system that uses API tokens and keys to access services, but where is the best place to store them? I want to push the code to GitHub without pushing the tokens.

Currently, I've placed them in a blank file named Constants.py and, in the main python file, I import Constants.py.

API_KEY_SERVICE = "ABC123ABC"

Main.py:

import Constants
service_key = Constants.API_KEY_SENDGRID

Answer 1

What you are attempting is the correct way to segregate sensitive information from code. You should include the constants.py in your .gitignore file which will prevent git from tracking that file and thus not pushing it to github.

For .gitignore, refer: https://git-scm.com/docs/gitignore

Answer 2

There are a few options:

1. Store it locally as you have and, as Sebastin Santy noted, add constants.py to your .gitignore file.

2. Store it as an environment variable if you're using a conda virtual environment. Virtual environments aren't stored; the requirements for creating one are in the requirements.txt file. You can find more on the steps from the conda documetation

3. Use the OS module

4. If you have more than one set of environment variables, you might consider using decouple

5. If you're using AWS, you'll want to store the (what would be third party) keys in their own area with its own IAM. There are two ways recommended by AWS.

• a. IAM roles
• b. Store Secrets using Parameter Store
• c. Store Secrets using Secrets Manager - Current method recommended by AWS