djangae.contrib.secrets
It's generally bad practice to store secrets in your code, as in the event that the code leaks your site and data could be compromised. djangae.contrib.secrets provides a mechanism to store your project's secrets in various locations outside of the project code itself. The motivation for including this app with Djangae is secure storage of the Django SECRET_KEY value.
Backends
The secrets app provides a few backends for storing your secrets:
- Google Secret Manager - stores your secrets in Google Secrets Manager
- Google Cloud Datastore - stores your secrets in a Cloud Datastore entities. This uses the raw Google Cloud Datastore API rather than Django models due to the requirement of allowing access to secrets from a Django settings file.
- Filesystem - stores your secrets in a plain-text file
Google Secret Manager
The GSM storage backend stores your secrets in a single JSON object in a single GSM secret. The backend takes two required arguments:
project_id- this is the GCP project ID for the GSM servicesecret_id- this is the name of the secret used to store the JSON object
Google Cloud Datastore
The Google Cloud Datastore backend stores your secrets in a singleton datastore entity. The required arguments are:
kind_name- the kind of the entitykey_name- the ID of the entity. This can be an integer or string.namespace- optional namespace for the entity keyproject_id- optional project ID for the client connection
Filesystem
The filesystem backend has a single required argument:
filename- the filename of the JSON file containing the secrets dictionary
Example Usage
You can access secrets using djangae.contrib.secrets.get and passing an appropriate backend instance:
MySecrets = secrets.get(
backend=secrets.FilesystemBackend(filename=filename)
)
print(MySecrets.secret_key)