How to use Django with SecretHub
This guide will show how you to load secrets from SecretHub into your Django application. These could be database passwords, API keys, encryption keys, your Django secret key or anything else you’d like to keep secret.
Instead of putting secrets values in source code or config files, you’ll be able to load them on demand from a secure and central place.
Before you begin
Before you start using SecretHub with Django, make sure you have completed the following steps:
Step 1: Replace plaintext values with references
Collect all secrets from your
settings.py or config files, and use the SecretHub CLI to encrypt and store them.
To do this, copy the values to your clipboard and use the
write command and specify a path on SecretHub:
secrethub write --clip your-username/demo/api_key
In your Python code, read these secrets from environment variables:
import os API_KEY = os.getenv('API_KEY')
Then, in your app launch script or runtime environment, you’ll have to set these environment variables.
But instead of using plaintext values, reference the secrets by the path you chose earlier, prefixed with
Step 2: Load secrets into your app
To load secrets into your app, you don’t have to incorporate a Python client or SDK of some sort. Your application code can stay SecretHub-agnostic.
Instead, you can use the CLI to automatically fetch and decrypt secrets the moment your app starts.
Simply wrap your app start command with
secrethub run and any environment variable that references a SecretHub secret will get updated to contain the actual secret value:
secrethub run -- python manage.py runserver
That’s it! You have now provisioned the app without a secret being near it. 🎉
As an added bonus,
secrethub run keeps an eye on your log output to see if any secret accidentally gets logged and masks them from the output!
Django Secret Key
Every new Django project comes with a hardcoded
SECRET_KEY in the
# SECURITY WARNING: keep the secret key used in production secret! SECRET_KEY = 'p0lx_5n@$+2yyc&(bz!t=t&*w55ed#-wecor+brcf#2k^h(bl!'
To store this on SecretHub, you can also use the
generate command to automatically generate and store a new value:
secrethub generate \ --length=50 \ --charset=lowercase,numeric,symbols \ your-username/demo/secret_key
secrethub run -- gunicorn app_name.wsgi
Next Up: Deploy your app
It’s great if simple examples work locally, but they don’t mean much if they don’t work anymore in a real-world scenario. So to read more about actually deploying your app with SecretHub, see: