Skip to content

Latest commit

 

History

History
64 lines (36 loc) · 3.42 KB

env_variables.md

File metadata and controls

64 lines (36 loc) · 3.42 KB

Environment Variables

Reading Environment Variables

import os

# Get an environment variable
api_key = os.getenv('MYAPP_API_KEY')

# Get with a default value if not found
debug_mode = os.getenv('DEBUG', 'False')

Setting Environment Variables in Python

While it's uncommon to set environment variables directly in scripts for deployment purposes, it's useful for testing.

os.environ['MYAPP_API_KEY'] = 'your-api-key'

Using .env Files for Local Development

  • Description: Discuss the use of .env files to manage environment variables during development and how to load these using libraries like python-dotenv.

  • Example: Demonstrate loading a .env file with python-dotenv.

  • Best practice: Securing .env files, such as not checking them into version control and setting proper file permissions. Use .gitignore to exclude .env files from version control.

Environment Variables: A Security Perspective

Understanding the Risks with Environment Variables Environment variables are commonly used in Python scripts to manage configuration and secrets like API keys, database passwords, and other sensitive data. However, their use for storing secrets can pose significant security risks.

Why Environment Variables Can Be Risky for Secrets

  • No Encryption: Environment variables are typically stored in plain text and can be accessed by any process with the right permissions, making them vulnerable to unauthorized access.

  • Access by Other Processes: Other processes running on the same host can potentially access environment variables, leading to security vulnerabilities.

  • Exposure in Logs and Debug Information: Environment variables can accidentally be logged or displayed in error messages or debug outputs, potentially exposing sensitive data.

  • Version Control Exposure: If scripts or configuration files setting environment variables are checked into version control, secrets can be exposed.

Secure Alternatives to Environment Variables

  • Secret Management Systems: Use dedicated secret management tools like HashiCorp Vault, AWS Secrets Manager, or Azure Key Vault. These tools provide robust mechanisms for storing, accessing, and managing secrets, including encryption and access controls.

  • Encrypted Configuration Files: Store secrets in configuration files that are encrypted and decrypted by the application at runtime.

  • Runtime Secret Injection: Inject secrets at runtime using orchestration tools like **Kubernetes Secrets **or Docker Secrets, which offer more secure ways to handle sensitive information.

Best Practices for Using Environment Variables

While environment variables are a convenient way to configure applications, they should be used cautiously, especially for sensitive data. Here are some best practices:

  • Avoid Storing Sensitive Data: Do not store secrets or sensitive information in environment variables. Use them for non-sensitive configuration data only.

  • Secure Access and Use: Ensure scripts and applications accessing environment variables are secure and do not inadvertently expose their contents.

  • Environment Separation: Keep development and production environments separate, and avoid sharing environment variables across these environments.

  • Regular Audits: Regularly audit and rotate secrets that are used in your environment to minimize the risks associated with potential exposure.