[PYTHON] Password management technology in the GitHub era
Three workarounds to consider before git commit your password
GitHub is convenient. You can manage your own source code for free. However, with the free plan, the source code will be released to the world. With a paid plan, you can keep the source code private for US $ 7 a month, but it's quite expensive, so few people are paying for it.
When writing a program that accesses external resources, I am urged to write the password in config. But think about past incidents. The authority to create a cloud server is money. There have been several cases in Japan where EC2 instances have been abused for BitCoin mining purposes. Is it really okay to write that password in config?
In this article, we'll look at techniques for managing passwords well without committing to git.
If you are using the aws command, try the following command
Amazon Web Services provides aws commands to make it easy to use each service locally. If you are using it, try typing the following command. cat ~ / .aws / credentials
>>> cat ~/.aws/credentials
[default]
aws_access_key_id = XXXXXXXXXXXXXXXXXXXXXZQ
aws_secret_access_key = XXXXXXXXXXXXXXXXXX8a
It is saved with a raw password. Why? This is because simply encrypting this will only obfuscate and guarantee security. Because, even if it is encrypted and saved locally, at the stage of communicating with AWS and sending a command, it is decrypted and sent at hand, so technically anyone can easily decrypt it, so it makes sense to encrypt it. There is no.
How to not record password in ~ / .aws / credentials
ʻExport AWS_CONFIG_FILE = ~ / path / to / aws.confg` and environment variables seem to be safe to manage. (I was taught by an in-house expert!)
Reference: HowTo: Install AWS CLI --Security Credentials
3 ways to not write password in source code
I have listed three methods: how to use the pit library, how to use .gitignore, and how to write the password in the environment variable.
1. Manage passwords using pit
pit is a well-known account management library. The library exists in Python Ruby perl. In python, the raw password is saved in ~ / .pit / default.yaml.
install
pip install pit
export EDITOR="vim"
Usage example,a.py
# -*- coding: utf-8 -*-
from pit import Pit
token = Pit.get('hipchat_v1',
{'require': {'token': 'your hipchat access token API v1'}})
print(token)
The first time you run it, Vim will start and you will be prompted for your password. The password you enter is saved in ~ / .pit / default.yaml.
From the second time onward, after entering the password, the following results will be returned.
Execution result
>>>python a.py
{'token': 'your token'}
2. Manage passwords using gitignore and import
Set password.py on the server, set it to .gitignore, and read from the conf file.
password.py
# -*- coding: utf-8 -*-
PASSWORD = "HOGEHOGE"
production_config.py
# -*- coding: utf-8 -*-
from password.password import *
print(PASSWORD)
Execution result
>>> python production_config.py
HOGEHOGE
3. Manage passwords with environment variables
This is a method to set a password in the environment variable and read it with the os.env command. For convenience, you will manage passwords in .bash_profile.
Password setting
export PASSWORD="aiueo"
production_config.py
# -*- coding: utf-8 -*-
from __future__ import absolute_import, unicode_literals
import os
print(os.environ.get('PASSWORD'))
Execution result
>>> python production_config.py
aiueo
Recommended Posts