Storing the secrets (passwords) in a separate file

I think storing credentials inside another *py file is your safest bet. Then just import it. Example would look like this

config.py

username = "xy"password = "abcd"

main.py

import configlogin(config.username, config.password)

I was dealing exactly the same question and actually ended up with the same solution as kecer suggested. Since I need to use it in dozens of scripts, I've created own library. Let me share this solution with you.

credlib.py -- universal library to handle credentials

class credential:    def __init__(self, hostname, username, password):        self.hostname = hostname        self.username = username        self.password = password

mycredentials.py -- my local file to store all credentials

from credlib import credentialsys_prod = credential("srv01", "user", "pass")sys_stg = credential("srv02", "user", "pass")sys_db = credential("db01", "userdb", "passdb")

mysystemlib.py -- this is a general library to access my system (both new credential system and legacy is supported)

from credlib import credentialdef system_login(*args): # this is new function definition#def system_login(hostname, username, password): # this was previous function definition    if len(args) == 1 and isinstance(args[0], credential):        hostname = args[0].hostname        username = args[0].username        password = args[0].password    elif len(args) == 3:        hostname = args[0]        username = args[1]        password = args[2]    else:        raise ValueError('Invalid arguments')    do_login(hostname, username, password) # this is original system login call

main.py -- main script that combines credentials and system libs

from mycredentials import sys_stg, sys_dbimport mysystemlib...mysystemlib.system_login(sys_stg)

Please note that the legacy hostname/username/password way still works so it does not affect old scripts:

mysystemlib.system_login("srv02", "user", "pass")

This has a lot benefits:

• same credential system across all our python scripts
• files with passwords are separated (files can have more strict permissions)
• files are not stored in our git repositories (excluded via .gitignore) so that our python scripts/libs can be shared with others without exposing credentials (everyone defines their own credentials in their local files)
• if a password needs to be changed, we do it at a single place only

Personally I prefer to use yaml files, with the pyyaml library.Documentation here: https://pyyaml.org/wiki/PyYAMLDocumentation

Creating a .gitignore rule is very quick and painless and there is zero chances of making a mistake. You can added the rule with echo on Linux / UNIX like system with:

echo -e '*.yaml\n*.yml' >> .gitignore

Below is an example of retrieving the settings from a settings .yaml file in the same folder / location of the reader.

Code Snippets:

#!/usr/bin/env python3import yamlfrom pathlib import Pathdef get_settings():    full_file_path = Path(__file__).parent.joinpath('settings.yaml')    with open(full_file_path) as settings:        settings_data = yaml.load(settings, Loader=yaml.Loader)    return settings_data