Storing the secrets (passwords) in a separate file

Question

What's the simplest way to store the application secrets (passwords, access tokens) for a Python script? I thought it'd be a *.yml file like in Ruby but surprisingly I found that it wasn't the case. So what is it then? What are the most simplest solutions?

I want to put them in a separate file because that way I'll be able not to push that file to a github repository.

Answer 1

I think storing credentials inside another *py file is your safest bet. Then just import it. Example would look like this

config.py

username = "xy" password = "abcd" 

main.py

import config login(config.username, config.password) 

Answer 2

I was dealing exactly the same question and actually ended up with the same solution as kecer suggested. Since I need to use it in dozens of scripts, I've created own library. Let me share this solution with you.

credlib.py -- universal library to handle credentials

class credential:     def __init__(self, hostname, username, password):         self.hostname = hostname         self.username = username         self.password = password 

mycredentials.py -- my local file to store all credentials

from credlib import credential sys_prod = credential("srv01", "user", "pass") sys_stg = credential("srv02", "user", "pass") sys_db = credential("db01", "userdb", "passdb") 

mysystemlib.py -- this is a general library to access my system (both new credential system and legacy is supported)

from credlib import credential  def system_login(*args): # this is new function definition #def system_login(hostname, username, password): # this was previous function definition      if len(args) == 1 and isinstance(args[0], credential):         hostname = args[0].hostname         username = args[0].username         password = args[0].password     elif len(args) == 3:         hostname = args[0]         username = args[1]         password = args[2]     else:         raise ValueError('Invalid arguments')      do_login(hostname, username, password) # this is original system login call 

main.py -- main script that combines credentials and system libs

from mycredentials import sys_stg, sys_db import mysystemlib ... mysystemlib.system_login(sys_stg) 

Please note that the legacy hostname/username/password way still works so it does not affect old scripts:

mysystemlib.system_login("srv02", "user", "pass") 

This has a lot benefits:

• same credential system across all our python scripts
• files with passwords are separated (files can have more strict permissions)
• files are not stored in our git repositories (excluded via .gitignore) so that our python scripts/libs can be shared with others without exposing credentials (everyone defines their own credentials in their local files)
• if a password needs to be changed, we do it at a single place only