1

My goal is to be able to develop/add features locally then create a local docker build and create a container using the Bitbucket Pipeline Repo Variables. I don't want to hard code any secrets on the host machine or inside the code. I'm trying to access some api keys hosted in the Bitbucket pipeline repo variables.

Anyone know how to do this? I am thinking some script inside the Dockerfile that will create environment variables inside the container.

Chris
  • 4,643
  • 6
  • 31
  • 49

1 Answers1

1

You can pass these variables to your container as environment variables when you run the container with the -e flag (see: this question), you could use the bitbucket variables at this point. When you do this the variables are available in your docker container, but of course you will then still have to be able to use them in your python script I suppose?

You can easily do that like this:

variable = os.environ['ENV_VARIABLE_NAME']

If you do not want to pass the variables in plain text to the commands like this you could also set up a MySQL container linked to your python container which provides your application with the variables. This way everything is secured, dynamic and not visible from anywhere except to users with acces to your database and can still be modified easily. It takes a bit more time to set up, but is less of a hassle than an .env file.

I hope this helps you

Sven Hakvoort
  • 3,543
  • 2
  • 17
  • 34
  • thanks for the answer. I've thought of that but I don't want the values in the process list, history, logs, etc. There may not be a way to do this. I might have to have a env file or pass the values with the `-e` flag. – Chris Dec 06 '18 at 14:57
  • 1
    I don't know if it is an option for you, but I encountered a similair issue in one of my own projects. I store all the keys and secrets in a database and query them from my application. This way it is all stored securely and not visible anywhere and you can easily change it when you want and spares you the hassle of an env file – Sven Hakvoort Dec 06 '18 at 19:23
  • 1
    @Chris, yeah but that will of course not allow you to acces them within your application. I meant more like a second database (i.e. a mysql container linked to your python container) which can be queried for the API keys :) – Sven Hakvoort Dec 06 '18 at 19:42
  • Wouldn't the db creds be in the compose file? – Chris Dec 06 '18 at 20:00
  • 1
    @Chris, yes they would. But if you setup your database to not publish any ports it will only be accisble from within your python container or the mysql container itself. Preventing any outside access with these credentials. If you also want to use phpmyadmin for altering the database you would have to make sure that this account is only usable from the localhost, limitting any outside access with these credentials – Sven Hakvoort Dec 06 '18 at 20:05