Django - Is it OK to load secrets / passwords / dynamic values from a cloud service directly in the settings file

Question

I want to load some values in my Django settings file at the time of application startup, dynamically from the cloud, namely :

1. Database password
2. Database IP address

Is it a good practice to add python code to the settings file to retrieve these values from the cloud ?

I believe these will be loaded only once, at the time of application startup i.e. they won't adversely affect the performance of my application.

For instance :

# ~ settings.py ~

# retrieve data from the cloud, directly in the settings file
db_password   = get_my_secrets()
db_ip_address = discover_db_ip()

# configure the database with these dynamic values
DATABASES = {
    'default': {
        'PASSWORD': db_password,
        'HOST'    : db_ip_address,
    }
}

Here's a related article (shared by @Adiii) : Django Settings In the Cloud

Answer 1

You can have multiple options to load the these configuration without altering the code.

• AWS secret manager
• Dot env file from s3
• Environment variable

Secrets-manager

AWS Secrets Manager helps you protect secrets needed to access your applications, services, and IT resources. The service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle

Using AWS secret Manager you can change/update DB Host or your secret without changing the code. for example

    secret_name = "db_password"
    region_name = "us-west-2"
    # Create a Secrets Manager client
    session = boto3.session.Session()
    client = session.client(
        service_name='secretsmanager',
        region_name=region_name
    )
    get_secret_value_response = client.get_secret_value(SecretId=secret_name)
    db_password   = get_secret_value_response

secrets-manager

Dot ENV with s3

Dot ENV is Reads the key-value pair from .env file and adds them to environment variable. It is great for managing app settings during development and in production using 12-factor principles.

Create Dot ENV file with all your secret and place the file on s3, before starting application pull the file from s3 and start application.

import os
SECRET_KEY = os.getenv("EMAIL")
db_password = os.getenv("db_password")

Python Dot ENv

Another option can be just using System environment variable.

db_password=os.getenv('db_password', default_pass)