How to keep secrets safe and in sync
Provision database passwords, API keys, and other secrets to your Django app, without keeping them in Git and without having to change your Python code.
Step 1
Replace plaintext secrets with references
Collect all secrets from your settings.py
, orchestrator manifests, .env
file, or any other config file, and use the SecretHub CLI to encrypt and centrally store them.
In your Python code there’s no need to import a library or SDK of some sort. You can just read secrets from environment variables.
settings.py
import os
DB_USER = os.getenv('DB_USER')
DB_PASSWORD = os.getenv('DB_PASSWORD')
API_KEY = os.getenv('API_KEY')
To specify the secrets your Django app needs, create a file named secrethub.env
:
secrethub.env
DB_USER = {{ company/app/db/user }}
DB_PASSWORD = {{ company/app/db/password }}
API_KEY = {{ company/app/api/key }}
If you’re familiar with .env
files in Python: you can see a secrethub.env
file as a templated version of a regular .env
file that can now be checked into Git and shared freely with the world, as it holds no secrets!
Step 2
Load secrets into your Django app the moment it starts
To automatically load the referenced secrets on startup, all you need to do is include the SecretHub CLI in your Django application launch script.
Before
manage.py runserver
After
secrethub run -- manage.py runserver
To make this work for your Django app in Docker, you can just add the SecretHub binary to your Dockerfile. It's lightweight and works with your favorite package manager. For more information on this topic, see the Docker guide →
Step 3
Control & monitor secret reads done by your Django app
Every time your Django app starts, secret reads gets recorded on the audit log. Restrict access to only the secrets it needs and know that you can revoke access with a single command.
