Yes, that is a major problem when you publish code, so there’s a few strategies people use:
Secrets Config Never Checked In
Don’t put the key directly in the app.py file (or wherever you use it). Instead, you create another module called…secrets.py or something. Now in that module, you can put testing keys that aren’t risky in any way, but honestly I would just never check that file in at all. To do that, add it to the .gitignore so you can never check it in:
# .gitignore contents
Now, put your keys in that file, something like this:
secret_app_key = 'asdfasdfsdfasdfasfasdf'
aws_key = 'asdfasdfasdfasdfasdf'
And so on, you can even create different secrets for different modes. Maybe you want production and testing keys:
if 'PROD' in os.environ:
secret_app_key = 'asdfasdfasdfasdfasdfasfasdf'
secret_app_key = 'TESTING KEY'
Then when you run it in production you have to add PROD to your environ in bash like this:
$ PROD=1 ./bin/app.py
Alright, now your secrets are safely in this other file that never touches your gits. When you deploy you have to put that file on your servers, so you’d keep it somewhere else safe (see the next section on that). Then, in your app.py do this:
Now you can check all your code in except the sensitive stuff and you’re good to go. Can’t get your keys if they are never online.
The GPG Method
Problem is, you need to store this information somewhere, so while maybe you should never store it on github, you might want to put it on an AWS, Dropbox, or similar. Well, if you do store it somewhere, you’ll want to encrypt it with GnuPG. First, follow https://help.github.com/articles/generating-a-new-gpg-key/ to setup your GPG key if you haven’t. Then you can do this to encrypt the secrets:
gpg -r firstname.lastname@example.org --encrypt secrets.py
That’ll create a file called secrets.py.gpg that is encrypted so that only you can open it with your private key. You can then safely put this secrets.py.gpg key on some kind of storage to get at it for deployment, and probably check it into github but I’d only do that if you are using a private repo.
WARNING: These instructions are mostly from memory so let me know if you find mistakes.