devops python

1Password - dev tool

Marcelino Veloso III,

This recipe has become a recent standard in my justfile:

dumpenv:
  op inject --input env.example \
    --output .env

The env.example referred to looks like this:

DJANGO_DEBUG=True
DJANGO_SECRET_KEY=op://dev/lawsql/credential
CURATED_TOKEN=op://dev/lawsql/curated/token
LAWDATA_URL=op://dev/lawsql/lawdata/url

The secrets are obviously absent from the file. But they contain references to the actual secret.

They're stored in a 1Password vault within my local machine. The op inject command grabs a copy of these secrets and "injects" them into the output .env.

It would be nice to not dump these into the file and, just use the reference as is, but this takes too much time in practice. For instance, I could use the op run invocation:

# Sample use in Django
op run --env-file="./env.example" \
  -- python manage.py runserver

But there would be some annoying seconds of delay. The seconds add up.

I can see myself using a variant of secrets management for more involved projects but for smaller ones, I like the simple ability to dump from a central and local store. The definitive benefit to me is being able to collect all secrets for a given project and organize them securely, e.g. "all project X secrets go here". I'd rather not rely on a text file. Or worse, a shareable file like Google Docs. So it's a matter of taking a few minutes to create a 1Password item and creating sections for grouped data.