In the Pyramid web framework, how do I source sensitive settings into development.ini / production.ini from an external file?

Question

I\'d like to keep development.ini and production.ini under version control, but for security reason would not want the sqlalchemy.url conn

Answer 1

I found this way for loading secrets from a extra configuration and from the env.

from pyramid.config import Configurator
from paste.deploy import appconfig
from os import path

__all__ = [ "main" ]


def _load_secrets(global_config, settings):
    """ Helper to load secrets from a secrets config and
        from env (in that order).
    """
    if "drawstack.secrets" in settings:
        secrets_config = appconfig('config:' + settings["drawstack.secrets"],
                                    relative_to=path.dirname(global_config['__file__']))

        for k, v in secrets_config.items():
            if k == "here" or k == "__file__":
                continue
            settings[k] = v

    if "ENV_DB_URL" in global_config:
        settings["sqlalchemy.url"] = global_config["ENV_DB_URL"]


def main(global_config, **settings):
    """ This function returns a Pyramid WSGI application.
    """

    _load_secrets(global_config, settings)

    config = Configurator(settings=settings)
    config.include('pyramid_jinja2')
    config.include('.models')
    config.include('.routes')
    config.scan()
    return config.make_wsgi_app()

The code above, will load any variables from the value of the config key drawstack.secrets and after that it tries to load DB_URL from the enviornment.

drawstack.secrets can be relative to the original config file OR absolute.