Keeping Secrets

Series: the Stack

Keep Secret Keys out of code repositories and off of servers.

Most sites use several API's or services that require credentials. It is important that you always keep credentials out of code repositories by putting sensitive information into ENV variables that can be accessed within the application as needed.

In production on Elastic Beanstalk these values are provided by the EB environment configuration using the AWS console or using the CLI so that they do not exists in the repository or on any file on the filesystem.

For local development you can export them to you shell environment but that can get cumbersome if you need to share it with a team or things are changing frequently.

One solution is to use a script to set up the environment and launch the app:

IMPORTANT: keep these files out of your code repositories by adding the filenames to the .gitignore file before committing.

A template can be found here localdev-example.env - you will need to rename it to localdev.snv and change the values as needed.

localdev.env

NODE_ENV=localdev  
AWS_S3_KEY=<your key>  
AWS_S3_KEY_ID=<your id>  
S3_BUCKET=<your bucket>  
S3_FOLDER=resized/  
S3_REGION=us-east-1  
FACEBOOK_CLIENT_ID=<your id> \  
FACEBOOK_CLIENT_SECRET=<your secret \  
TWITTER_CONSUMER_KEY=<your key> \  
TWITTER_CONSUMER_SECRET=<your secret> \  
ADMIN=true \  
DEBUG=loopback:security:*  

Launch script

localdev.sh

#!/bin/sh
env $(cat localdev.env | xargs) $@  

To run your app or other executables on your local development machine invoke them with this script.

./localdev.sh node .
./localdev.sh mocha tests/unit.js
./localdev.sh node bin/somescript.js

The application can now access these values as

process.env.FACEBOOK_CLIENT_ID  

Photo: Bali, Indonesia (2015)
Document version 1.1