--
Any modern web application contains secrets. Database passwords, API keys, credentials for your Stripe integration, etc. To secure these, you use a parameter store with encryption capabilities. In our case: AWS SSM in combination with AWS KMS. And we’ve created a Python module which easily integrates this into your applications.
For obvious reasons, secrets shouldn’t be exposed to the outside world. So don’t do that, right? Don’t print them in your html, add them as request parameters or encode them into some kind of response to the end user. You don’t want any sensitive data to be exposed.
However, what about sharing the secrets with your development team? Surely those secrets must be part of the source code, in order to use them in your application, right?
Wrong. That is not necessary. The only places that require those secrets, are your runtime environments that actually uses those secrets.
Think about it; what if your source code gets exposed by accident, e.g. via a publicly accessible S3 bucket, malware that steals your source code, stolen laptop or ex-employee with evil intent? There are countless scenario’s that allow these secrets to fall into the wrong hands, just by adding them to your (private) source code.
Don’t add secrets to your source code!
So how to use secrets in your source code, without adding those to the code?
There are several solutions on the market for this. Secret stores like HashiCorp Vault, Azure Key Vault and AWS SSM Parameter store allow you to store your secrets securely and encrypted, with only resources that are allowed being able to decrypt and read the secret at run-time in your production environment.
To ease integration in your python applications, around a year ago we’ve created python-param-store, which allows you to resolve secrets from those secrets stores. Either directly via code, or via ‘placeholder’ environment variables that resolve to the secret store at run-time. This makes sure that we don’t leak secrets via environment variables (which is considered harmful).
The library is pluggable to support multiple secrets stores. But since we’re deploying most of our infrastructure on AWS, we’ve only created an integration for AWS KMS at this time.