https://kotlinlang.org logo
#ktor
Title
# ktor
t

tseisel

06/22/2019, 10:40 AM
I'm using Ktor with Gradle. I have some secret credentials (API keys) that I don't want to be commited to Github. Where should I store those credentials, so that I can retrieve them from my application code ?
k

Kenneth

06/22/2019, 10:59 AM
System/Environment variable?
Or something like Vault
t

tseisel

06/22/2019, 11:35 AM
That's what I did : I stored plaintext API keys in a local, not checked
credentials.gradle.kts
file. My
build.gradle.kts
apply it and set the keys as environment variables in the application
run
task. Then those are available at runtime with
System.getEnv("my_api_key")
. Is there a simpler way ? Also, aren't environment variables easy to read for attackers ?
m

Mike

06/22/2019, 3:24 PM
Yes, IF they can get access to the containers. But at some point, the credentials have to be readily available to the service. But this is also why services shouldn't share vaults, DB etc as much as possible so that if one service is compromised, it isn't the entire system that's at risk. Using Environment variables is quite common as a result as it's language agnostic. All languages have some way of reading environment variables easily.
l

lenqnr

06/23/2019, 7:20 AM
If you're deploying your app in the AWS Elastic Beanstalk, then the recommended way of doing this is storing your secret files into a S3 bucket. And you can get the files before lauching your app using a .ebextensions config file. I think the best way depends on what platform you're using for hosting your services. Using environment variables is good enough, but it may not be a perfect solution. Environment variables are probably visible in your management console or in instance logs.
6 Views