I'm using Ktor with Gradle. I have some secret credentials (API keys) that I don't want to be commited to Github. Where should I store those credentials, so that I can retrieve them from my application code ?

System/Environment variable?

That's what I did : I stored plaintext API keys in a local, not checked

credentials.gradle.kts

file. My

build.gradle.kts

apply it and set the keys as environment variables in the application

run

task. Then those are available at runtime with

System.getEnv("my_api_key")

. Is there a simpler way ? Also, aren't environment variables easy to read for attackers ?

Yes, IF they can get access to the containers. But at some point, the credentials have to be readily available to the service. But this is also why services shouldn't share vaults, DB etc as much as possible so that if one service is compromised, it isn't the entire system that's at risk. Using Environment variables is quite common as a result as it's language agnostic. All languages have some way of reading environment variables easily.

If you're deploying your app in the AWS Elastic Beanstalk, then the recommended way of doing this is storing your secret files into a S3 bucket. And you can get the files before lauching your app using a .ebextensions config file. I think the best way depends on what platform you're using for hosting your services. Using environment variables is good enough, but it may not be a perfect solution. Environment variables are probably visible in your management console or in instance logs.