Ever pondered how you can keep your secrets out of sight. Me too. I am not promising this is 100% but it can be a good start for you.

This is a quick tutorial on storing your secret keys using a .env file and the dotenv package instead of storing it in your .bash_profile or .zprofile. The reason I am against storing your credentials in those files is that they make it hard to work on multiple projects connecting to different databases/ cloud accounts.

I am going to make it short and sweet. I have taken a leaf out of this blog

TLDR - skip to this section

Folder Structure

  • Create a new project folder and change directory into it.
mkdir project_name
cd project_name
  • Let’s create our .env file If you have a git repo remember to GITIGNORE this file !!!!!
touch .env

This is a sort of hidden file, you probably won’t see it in your folder structure. If in doubt you can always run cat .env to view the file contents or ls -a ./project_name to view the project_name folder contents.

Let’s populate our .env file. This can get a bit interesting. I am assuming you’re a bit comfortable with the command line. So just follow me

vim .env

Don’t panic. It’s just vim.

  • Press i to get into INSERT mode.
  • Copy and paste the below.
DATABASE_URL=postgres://username:password@localhost:5432/dbname
AWS_ACCESS_KEY=myaccesskey
AWS_SECRET_ACCESS_KEY=mysecretkey
OTHER_VARIABLE=zanawazhere
  • Press escape
  • Enter :wq to SAVE and QUIT

Wasn’t too hard was it.

  • Let’s create 2 folders such that our directory looks like.
project_name 
     └── parent_folder
            └── child_folder
  • Install dotenv with pip install dotenv

  • Navigate to child_folder cd parent_folder/child_folder

  • add your config.py file in child_folder. Copy the contents below,
# config.py.py
import os
from dotenv import load_dotenv, find_dotenv

# find .env automagically by walking up directories until it's found
dotenv_path = find_dotenv()

# load up the entries as environment variables
load_dotenv(dotenv_path)

DATABASE_URL = os.environ.get("DATABASE_URL")
OTHER_VARIABLE = os.environ.get("OTHER_VARIABLE")

if __name__ == "__main__":
    print(DATABASE_URL)
    print(OTHER_VARIABLE)

If you run config.py you should get, the following output.

postgres://username:password@localhost:5432/dbname
zanawazhere

The point of me having the child and parent folder was to show that the dotenv package will crawl the directory to extract the secrets in .env.

Take it up a level

Now that we got the basics out of the way.

  • Create a utils folder in the project_name folder. mkdir utils
  • Move your config file to be inside the utils directory
  • You can delete the parent_folder and child_folder

Let’s edit the config.py file to look like,

# config.py
import os
from dotenv import load_dotenv, find_dotenv

# find .env automagically by walking up directories until it's found
dotenv_path = find_dotenv()

# load up the entries as environment variables
load_dotenv(dotenv_path)


class Config:
    APP_NAME = "your_app_name"

class DevelopmentConfig(Config):
    DEBUG = True

    DATABASE_URL = os.environ.get("DATABASE_URL")
    OTHER_VARIABLE = os.environ.get("OTHER_VARIABLE")

    AWS_ACCESS_KEY = os.environ.get("AWS_ACCESS_KEY")
    AWS_SECRET_ACCESS_KEY = os.environ.get("AWS_SECRET_ACCESS_KEY")
    AWS_S3_BUCKET_NAME = 'aws-s3-bucket-name-for-dev'


class TestConfig(Config):
    DEBUG = True
    TESTING = True

    DATABASE_URL = os.environ.get("DATABASE_URL")
    OTHER_VARIABLE = os.environ.get("OTHER_VARIABLE")

    AWS_ACCESS_KEY = os.environ.get("AWS_ACCESS_KEY")
    AWS_SECRET_ACCESS_KEY = os.environ.get("AWS_SECRET_ACCESS_KEY")


class ProductionConfig(Config):
    DEBUG = False

    DATABASE_URL = os.environ.get("DATABASE_URL")
    OTHER_VARIABLE = os.environ.get("OTHER_VARIABLE")

    AWS_ACCESS_KEY = os.environ.get("AWS_ACCESS_KEY")
    AWS_SECRET_ACCESS_KEY = os.environ.get("AWS_SECRET_ACCESS_KEY")


class CIConfig:
    SERVICE = 'travis-ci'
    HOOK_URL = 'web-hooking-url-from-ci-service'

All we have done is create a config class which is inherited by the environment classes. The best thing is that we are not hard coding out environment keys in our code.

  • Create a main.py in the project_name folder. Copy and paste the below,
# main.py
import sys
import utils.config as config

if __name__ == '__main__':
    env = 'dev'

    if env == 'dev':
        app = config.DevelopmentConfig
    elif env == 'test':
        app = config.TestConfig
    elif env == 'prod':
        app = config.ProductionConfig
    else:
        raise ValueError('Invalid environment name')

    app.ci = config.CIConfig

    app = config.DevelopmentConfig()
    print(app.DATABASE_URL)
    print(app.OTHER_VARIABLE)
    print(app.AWS_SECRET_ACCESS_KEY)
    print(app.AWS_ACCESS_KEY)

Run your main.py, you should see the output:

postgres://username:password@localhost:5432/dbname
zanawazhere
mysecretkey
myaccesskey

Take a deep breath. That was longer than I thought. I think you should be able to take these concepts and use them in your personal projects.

I hope if you’re a beginner you got a good idea of what I was trying to show. Any feedback is appreciated.