Score:0

Options for storing API keys in config files?

in flag

I'm working on a project that's using Drupal Commerce and wondering about the possible options to secure the API keys exported as configuration YAML files.

We have the config directory outside of the web root and are fairly careful overall with security, but we currently have those committed to our private Git repository - should those be removed from the repository entirely, regenerated, and added to .gitignore?

Kevin avatar
in flag
Use config-ignore module on those config items. You can include a file outside of webroot on the prod server that overwrites the config at runtime with the values. SSH in to create it.
Score:3
de flag

I use the Key module, combined with the Config Split module. You can set up the key module to use a file to store the API values. You can then use the config split module to create a conditional split on the configuration created for your production server. Put the values in the file on the production server, but do not commit that file to GIT. That way it is only on your production server, and not part of the GIT repository. For other non-production environments you can store test data in configuration rather than in a file, so that your test (sandbox) data can be committed to GIT.

in flag
We're already using Config Split, so I guess we're halfway there already. I'll take a look at the Key module and try to set that up. Thanks!
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.