是 encrypted credentials Rails feature 的 Python 类似物吗? ?
Rails stores secrets in
config/credentials.yml.enc
, which is encrypted and hence cannot be edited directly. Rails usesconfig/master.key
or alternatively looks for the environment variableENV["RAILS_MASTER_KEY"]
to encrypt the credentials file. Because the credentials file is encrypted, it can be stored in version control, as long as the master key is kept safe.
To edit the credentials file, run
bin/rails credentials:edit
. This command will create the credentials file if it does not exist. Additionally, this command will createconfig/master.key
if no master key is defined.Secrets kept in the credentials file are accessible via
Rails.application.credentials
.
我的想法是:
- 在存储库中对所有 secret 进行加密;
- 仅在本地拥有
master.key
(或仅一个环境变量); - 手动传递到生产服务器
master.key
; - 然后通过 git 通过自动部署过程传递其他 secret 。
最佳答案
有https://github.com/nzaillian/django-encrypted-secrets它的工作原理类似于 Rail 的加密凭证,但我还没有看到它在我从事过的任何项目中使用。
通常我会看到使用os.environ
使用和访问环境变量:
import os
os.environ['API_USER']
django-environ package 也很流行,经常与 .env
文件一起使用。
我自己没用过,但是dynaconf似乎也很受欢迎。
关于Rails 加密凭证功能的 Python 世界模拟(安全存储 secret ),我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/72287422/