Options for storing API keys in config files?

Ambient.Impact

10/6/22, 3:47 PM

I'm working on a project that's using Drupal Commerce and wondering about the possible options to secure the API keys exported as configuration YAML files.

We have the config directory outside of the web root and are fairly careful overall with security, but we currently have those committed to our private Git repository - should those be removed from the repository entirely, regenerated, and added to .gitignore?

189

1 + 1

commerce

configuration

Kevin

10/6/22, 9:51 PM

Use config-ignore module on those config items. You can include a file outside of webroot on the prod server that overwrites the config at runtime with the values. SSH in to create it.

Score:3

Drupal

Jaypan

10/7/22, 2:24 AM

I use the Key module, combined with the Config Split module. You can set up the key module to use a file to store the API values. You can then use the config split module to create a conditional split on the configuration created for your production server. Put the values in the file on the production server, but do not commit that file to GIT. That way it is only on your production server, and not part of the GIT repository. For other non-production environments you can store test data in configuration rather than in a file, so that your test (sandbox) data can be committed to GIT.

0 + 1

Ambient.Impact

10/7/22, 3:13 PM

We're already using Config Split, so I guess we're halfway there already. I'll take a look at the Key module and try to set that up. Thanks!

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Options for storing API keys in config files?

TH: ตัวเลือกสำหรับการจัดเก็บคีย์ API ในไฟล์ปรับแต่ง?

RO: Opțiuni pentru stocarea cheilor API în fișierele de configurare?

RU: Варианты хранения ключей API в файлах конфигурации?

VI: Tùy chọn lưu trữ khóa API trong tệp cấu hình?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.