Sensitive secrets¶
Using .secrets files¶
To safely store sensitive data Dynaconf also searches for a file to look for data like tokens and passwords.
example :
[default]
password = "sek@987342$"
The secrets file supports all the environment definitions supported in the settings file.
IMPORTANT: The reason to use a file is the ability to omit this file when commiting to the repository so a recommended should include line.
Using Vault server¶
The vaultproject.io/ is a key:value store for secrets and Dynaconf can load variables from a Vault secret.
Run a vault server
Run a Vault server installed or via docker:
$ docker run -d -e 'VAULT_DEV_ROOT_TOKEN_ID=myroot' -p 8200:8200 vault
Install support for vault in dynaconf
$ pip install dynaconf[vault]
In your file or in exported environment variables define:
VAULT_ENABLED_FOR_DYNACONF=true
VAULT_URL_FOR_DYNACONF="http://localhost:8200"
VAULT_TOKEN_FOR_DYNACONF="myroot"
Now you can have keys like and defined in the vault and dynaconf will read it.
To write a new secret you can use http://localhost:8200 web admin and write keys under the secret database.
You can also use the Dynaconf writer via console
$ dynaconf write vault -s password=123456