There are multiple ways to load secrets.
During development, if you are using the install script or setting the values in your
.env file, that's one of the best ways.
For production, the env should be loaded through a secrets manager, such as built into your CI/CD process. Be sure whatever process you choose enables secret rotation inline with your security posture.
System settings for Diffgram are loaded from Environment Variables in
If you inspect this file you will see that all of the setting are fetched from environment variables.
To adjust these either:
- Use a
.envfile. The Diffgram installer generates this for you. (E.G. for Docker or Kubernetes context)
- Use a secret loading service like key vault or other external loading method
- For development only, optionally use a
secrets.pyfile. See Configuring
secrets.pyfor customizing settings
Some important assumptions about the settings variable names:
- We assume that all settings variables are CAPITALIZED. This is so it's easier to get them from the OS's environment variables.
- Diffgram sets some defaults to most of the settings, but it is the SysAdmin responsibility to set the correct values of the settings depending on the use case of Diffgram (Dev, Sandbox, Production, Testing, etc)
Secrets are always loaded from Environment Variables
However, those can be set by another program, or loaded from another source
Here is one example of loading them from a python file first before settings load.
settings.py file contains a default import for a file named
This file is nonexistent in the repo and should not be tracked.
One example use case is to set the environment variables to the values depending on the
DIFFGRAM_SYSTEM_MODE value or other contextual values of your server. An example of how to set the values for the settings inside the
secrets.py is the following:
if DIFFGRAM_SYSTEM_MODE in ["testing_e2e", "testing"]: os.environ['USER_PASSWORDS_SECRET'] = 'secret_for_test_env' os.environ['DB_SECRET'] = 'secret_for_test_env' os.environ['SECRET_KEY'] = 'secret_for_test_env' elif DIFFGRAM_SYSTEM_MODE == 'sandbox': os.environ['USER_PASSWORDS_SECRET'] = 'secret_for_sanbox_env' # Set any other variables depending on your specific use case...
Most of the configurations of our CircleCI build process are managed via environment variables set at the project level and at the context level. If you are proposing or working on improving our build system please make sure to check the values of this environment variables first and make sure to set them at the UI level inside the circleCI platform.
All secrets in Diffgram are set via environment variables.
FERNET_KEY: This one should be generated with Fernet Library
We have certain default values for secrets in
settings.py but they should be for local usage only and are discouraged for using in production.
Please make sure to set the secrets on environment variables and to keep strong security policies for the management and access of your production secrets, database password, access keys, etc.
DIFFGRAM_SYSTEM_MODE=='production' secrets are not logged, or logged in safe way, eg
In development secrets may be logged.
Secrets are never sent to Diffgram Hub.
Updated about 1 month ago