How to manage MySQL credentials of production server?

0

I have a simple Django application that needs to use a MySQL database. There is a file settings.py which contains a plain Python dictionary where I have to enter the MySQL credentials, it looks like this:

DATABASES = {
    'default': {
        'ENGINE': 'django.db.backends.mysql',
        'NAME': 'django',
        'USER': 'django',
        'PASSWORD': 'django',
        'HOST': 'localhost',
     }
 }

On the server (Debian) I use a checkout of the latest git version of my application. In that git repo, I have a branch production which contains the database credentials that I have chosen for this server.

Now I would like to automate the deployment completely. Currently, I use Ansible to do a

git checkout production
git pull origin master
service apache2 restart

which works. The problem is that this database credential patch is on the server only. I would much rather have this patch centrally as well.

  • I thought I could let Ansible do the deployment of the vanilla version and then use Ansible to exchange the PASSWORD line. The downside is that the next run of Ansible would detect that the checkout has been changed and redo everything, making it inefficient.

  • Then I thought about a Debian package for the whole thing. This would require to either bake the credentials into the package, which I cannot do since the package is going to be public (to use a Launchpad PPA).

Either way, I probably need to have the credentials in some location where the vanilla deployment would find that, like /etc/myapp/db.ini.

What is a reasonable way to do this?

Martin Ueding

Posted 2014-11-18T18:59:12.030

Reputation: 1 857

Answers

-1

Secrets management is an extremely difficult problem. You don't ever want cleartext passwords in code.

There are a few tool out there for handling secrets, including Ansible Vault, Hashicorp Vault, and Keywhiz. I personally store secrets in S3 using KMS for encryption.

It's a difficult problem with several tools popping up to try to solve it. I would not presume to know the best solution for you, but I would advise looking at the various secrets management tools and select one that fits your needs.

MillerGeek

Posted 2014-11-18T18:59:12.030

Reputation: 183

This is a good comment it just isn't a comment. Superuser is not a discussion forum, this would be a great response in a discussion forum, this just doesn't answer the author's question. – Ramhound – 2015-08-23T16:47:05.303

Thanks for the feedback. A bit new to contributing here, and I don't have enough rep yet to comment – MillerGeek – 2015-08-23T16:50:56.603

So earn the reputation in order comment on other people's questions, what you don't do, is post comments as answers because you can't submit comments. My first comment has a typo, it was suppose to say "great comment, it just isn't an answer", not whatever I said. – Ramhound – 2015-08-23T17:01:10.863

Asked: 2014-11-18T18:59:12.030

Viewed: 411 times

Active: 2015-08-23T15:24:24.743