Secrets Management
5 min read Quiz at the end
Never hardcode secrets — use env vars, HashiCorp Vault or AWS Secrets Manager, and pre-commit scanning.
Secrets Management
# NEVER hardcode secrets
# BAD:
DB_PASSWORD = "mysecretpassword123"
API_KEY = "sk-live-abc123"
# GOOD: Environment variables
import os
DB_PASSWORD = os.getenv("DB_PASSWORD")
if not DB_PASSWORD:
raise ValueError("DB_PASSWORD not set")
# .env file (local dev only, in .gitignore)
from dotenv import load_dotenv
load_dotenv()
# HashiCorp Vault (production)
import hvac
client = hvac.Client(url="https://vault.example.com")
client.auth.kubernetes.login(role="myapp")
secret = client.secrets.kv.v2.read_secret_version(
path="database/creds"
)["data"]["data"]
# AWS Secrets Manager
import boto3
sm = boto3.client("secretsmanager")
val = sm.get_secret_value(SecretId="prod/myapp/db")["SecretString"]
# Pre-commit hook to prevent accidental commits
# .pre-commit-config.yaml
repos:
- repo: https://github.com/Yelp/detect-secrets
rev: v1.4.0
hooks:
- id: detect-secrets
# Scan git history for leaked secrets
truffleHog git file:///path/to/repo
Topic Quiz · 1 questions
Test your understanding before moving on
1. What is the most important rule about secrets (API keys, passwords)?
💡 Hardcoded secrets end up in git history forever — use environment variables, Vault, or cloud secrets managers.