[Fixed]-Django – Is it OK to load secrets / passwords / dynamic values from a cloud service directly in the settings file


You can have multiple options to load the these configuration without altering the code.


AWS Secrets Manager helps you protect secrets needed to access your
applications, services, and IT resources. The service enables you to
easily rotate, manage, and retrieve database credentials, API keys,
and other secrets throughout their lifecycle

Using AWS secret Manager you can change/update DB Host or your secret without changing the code. for example

    secret_name = "db_password"
    region_name = "us-west-2"
    # Create a Secrets Manager client
    session = boto3.session.Session()
    client = session.client(
    get_secret_value_response = client.get_secret_value(SecretId=secret_name)
    db_password   = get_secret_value_response


Dot ENV with s3

Dot ENV is Reads the key-value pair from .env file and adds them to environment variable. It is great for managing app settings during development and in production using 12-factor principles.

Create Dot ENV file with all your secret and place the file on s3, before starting application pull the file from s3 and start application.

import os
SECRET_KEY = os.getenv("EMAIL")
db_password = os.getenv("db_password")

Python Dot ENv

Another option can be just using System environment variable.

db_password=os.getenv('db_password', default_pass)

Leave a comment