Hide API keys in Python scripts using python-dotenv, .env, and .gitignore

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
sometimes when you're programming you have code or little bits and pieces that you don't want to share with the entire world and i'm not talking that just you're embarrassed with your programming i'm talking about things like api keys email addresses passwords stuff that counts as private but maybe you still want to post code on the internet right maybe you want to contribute to an open source project maybe you want to create your own open source project maybe you want to post example code online maybe you just want to put some of your homework or something like that up on the web so people know what you're working on the issue is if i post let's say this file right here to the internet suddenly people know a lot of things i might not want them to know about for example this is an api key it's used for accessing a service and i might you know pay money in order to be able to access this service someone else takes this api key they can pretend to be me run up my bills all kinds of terrible things additionally down here it's my email address maybe i want to keep my email address private instead of letting anyone on the internet know what it is uh same thing with this password here if someone has this information maybe they can log into my account lock me out of it steal my stuff whatever so the issue is it's fine when these are on my computer but if for example i commit all of this and push it up to github i'm going to be in a bad place because anyone who looks at my code on github is going to be able to get my api key it's going to be able to get my email is going to be able to get my password so what we're going to do in this video is we're going to learn how to use a tool called env in order to hide things like api keys email addresses passwords from being visible on github so the tool is python.env it's been around for a long time it's great it's delight the first thing we're going to have to do is we're going to need to install it so just like everything else in the world of python we're going to use pip install in order to pip install it it's not pipinstall.env it's pip install python.env i've already installed it but i'm just going to run it again because hey why not the python that you have in visual studio code might not be the same python you run elsewhere on your computer places like terminal places like jupiter notebooks things like that so just run pip install where you normally install it i'm just running here to keep everything in the same place now what we need to do first is reorganize our code right now our api keys our emails our passwords are just kind of pushed into everything else in terms of keeping things clean and nice i'm going to create some variables up at the top that are my api key that are my email address that are my password and so i'm going to copy them up here copy it up here and then i'm going to go back and say this is password this is email address and this is api key one thing to note here um is even though this changed color this is actually not right what we need to do is go over here and turn it into an f string if you're not familiar with f strings they're kind of like fill in the blank strings for python so this is going to do the same thing it did before where it just said hey here's here's how the api key works so if i run this code it's going to print out that url with the api key and it's going to print out this login information here using those variables up top now what we need to do as long as we have the api key the email address and the password inside of this py file when we upload this py file to github everyone's going to be able to see it what dot env allows us to do is move it into a separate file and funnily enough the file's name is dot env um dot env file so what we're gonna do is um there are a few different ways to do this i like to just right click new file dot e n v now files that start with dots are kind of like secret files or private files they usually don't show up on your file browser um and they're just kind of the dot signals this file is is not for mere mortals it is for people who know what they're doing it doesn't magically make it disappear we'll deal with that later on but just know that there's nothing necessarily special about env or dot emv except that it's a common way to say this is a special kind of file so what we're going to do is we're going to take all of this information and just paste it right into the env file and i'm going to say hey my api key is this my email address is this and my password is this easy peasy nothing crazy going on here pretty simple right all we did was move those declarations into the env file and now what we need to do is figure out how to move them from the env file into this file in order to do that you need to you know read through the documentation here and add these two lines i'm actually going to end up adding three lines but we'll start with these two so what these lines do is the first one says hey um i want to load the env library um and this line right here says i want you to load the dot env file so if we run the code right now as it stands it's not really going to do anything you know my api key is blank my email is blank my password's blank it didn't magically fill in these variables what it did is it created something called environment variables and what environment variables are are there just kind of things that are floating around on your computer that are i don't know usable all over the place um they're variables that you don't set in your code they're just things that your computer knows in order to get them from your computer in order to talk to your computer we're going to use os so if you go here you can say oh this is what it's talking about here code of your application which uses the environment variables so hidden variables that your computer just knows about so for example one common one that your computer will know about is something called the path the path is all of the different folders on your computer where when i type a command it tries to find the command in those files so if i run that it says these are all of the places this is my secret path environment variable if i type python it will search in all of these folders in order to find python if i type you know nvm it'll search and all those if i type code it will search in all of those they're just variables you don't set in your code that your computer knows about now every one of the ones in here api key email address and password are now in our environment so i can actually say hey give me the api key environment variable hey give me the email address or environment variable hey give me the password environment variable and now when i run this it works great um emv loaded everything from the env file through it into our computer and now we're able to get it without actually putting the code without actually putting the api key email address or password into our python file this is only half the battle though we have now successfully moved it out of app py but it's still hiding in env this becomes an issue when we start to use git or github in order to push our data up i'm showing you this in github desktop because it's easy to look at but you know there are plenty of you know you could use the command line anything like that so right here github desktop is telling us we have two changed files one of them is app.py which looks fine no more secret information in there and the other one is dot env which has all of our secret information in there one thing you could do is just uncheck dot env and then you know just type all of uh you know a little description about adding app.py commit everything's good the problem is every time you commit you have to remember to not add env we have to be very careful to never add this into git to never send it up to github i'm pretty forgetful i'm pretty lazy so i don't want to have to remember to check or uncheck or whatever this every single time in comes another file this file is called dot get ignore what dot get ignored does is it is a list of files that you should not add to get now should not it's a little more serious than that these are files that git will ignore so if i type env in this list of files it's going to be the only file in here for now but if i type env in here and i go here suddenly it's disappeared suddenly.env doesn't show up on this list anymore because the git ignore knows hey get it get envy or get ignore says dot env hey git just ignore it and git says okay you know ignoring dot env you usually add a lot more files than just env to that i recommend going to getignore.io got bot didn't work for a while but it's really easy for me to say i'm using python i'm using os x i use visual studio code uh maybe i use a little bit of node work every now and again maybe sometimes i open up stuff on windows and it will create a list of all of these files that get ignored so i'm going to copy and paste this into my git ignore and it's not saying that we're ignoring you know python files node files every file that's made on os x every file that's made on windows it's saying these are common files that show up such as env maybe different env files for test and production cache files temporary files files that you really wouldn't want to add to version control that aren't really important to you so it's not just secret files it's also files that you know don't matter at all um and once we push that that updated git ignore now none of these files will ever ever ever be committed to the git repository so if we had you know a second api key when we had whatever in here we update that it doesn't show up on github desktop but we can still access another key inside of app.py so i can print os get env another key and it will magically show up there's our key it just pulled it straight out of dot e and v and yeah that's that's pretty much how env works it's very very useful the one thing i will warn you is if you are doing this in a jupiter notebook which is probably what you're doing if you're working with apis you have to be careful to not let's say print out these urls so if i'm doing a bunch of data analysis on an api and i save my api keys into env it'll work fine but then if i'm actually printing out all of my url so i'm printing out all of my login info instead of just using it anyone who looks at my notebook is going to be able to see all of that information so if you you know just use request to grab that url just use whatever library in order to process that information there and never print it out your life will be will be a lot better one final thing is because this dot emv file doesn't live in version control if you go into your repository if you go into your repository um and you you know everything on your computer disappears and then you clone your repository to a new place let me publish this i'll keep it public because why not if i go here and let's say i clone this or i download all of this code i will no longer have the env file so i will no longer have an api key email address or password if i want to reuse this code if i want to move it on my computer or you know install it on another computer i have to make sure i have a env file usually that means you just have to create a new one but you should pay attention to or keep safe your api key your email addresses and your passwords because they're not not hanging out on github for security reasons um there and they will be on your computer until you delete them until your computer explodes anything like that um so yeah keep uh keep that env file safe somewhere else uh but you know because you're using the magic of get ignore and the magic of the env python library you are now able to be nice and safe and secure with all of your private stuff here also if you're using jupiter notebook just put emv in the same file or in the same folder as your notebook and you'll be good to go all right that's it
Info
Channel: Jonathan Soma
Views: 4,689
Rating: undefined out of 5
Keywords:
Id: YdgIWTYQ69A
Channel Id: undefined
Length: 15min 51sec (951 seconds)
Published: Sun Jun 27 2021
Related Videos
Transforming Code into Beautiful, Idiomatic Python
Next Day Video
945K
REST API Crash Course - Introduction + Full Python API Tutorial
Caleb Curry
289K
Why New York’s Billionaires’ Row Is Half Empty
The B1M
3.2M
Keeping A Grocery Store Lobster As A Pet
Brady Brandwood
7.9M
Flask app configuration - Python on the web - Learning Flask Series Pt. 12
Julian Nash
18K
Tricky JavaScript Interview Questions and Answers
techsith
376K
SQLite Databases With Python - Full Course
freeCodeCamp.org
295K
Code a Discord Bot with Python - Host for Free in the Cloud
freeCodeCamp.org
1.4M
Authenticating a Flask API Using JSON Web Tokens
Pretty Printed
109K
Golang Tutorial for Beginners | Full Go Course
TechWorld with Nana
19K
I Built This From A 1972 Popular Mechanics Magazine Plan. Does It Work?
Fireball Tool
2.4M
How To Speak by Patrick Winston
MIT OpenCourseWare
5.3M
Python: Making a Discord bot (Part 7: Cogs)
Lucas
167K
Showing a Craigslist scammer who's boss using Python
Engineer Man
5.4M
The Art of Code - Dylan Beattie
NDC Conferences
3.4M
Create Your Own Telegram Bot With Python
NeuralNine
12K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.