We've had an incident where a dev accidentally pushed an LLM API key to a public repo, leading to a costly exploit. We're currently exploring options to avoid hardcoding API keys, especially in development environments. We're considering using environment variables or AWS Secrets Manager. What are others doing to securely manage API keys during development without hurting the workflow?
We faced a similar issue a while back, and moving to environment variables was a game-changer for us. We maintain a .env file that is excluded from version control with .gitignore. This way, developers can set their own keys locally without the risk of exposing them. Just make sure to communicate clearly on how to set up their environments to avoid confusion.
These days, I often use GitHub Actions with encrypted secrets for deployment. It allows me to store and access keys securely in CI/CD pipelines without hardcoding them into the source code. Works quite well for us as it keeps keys secure and isolated.
Have you looked into HashiCorp Vault? It's great for managing secrets and can integrate with many tools/cloud services. It’s a bit of an overhead to set up initially, but worth it for more significant projects needing utmost security.
We evaluated several options and landed on AWS Secrets Manager. It integrates smoothly with our AWS Lambda functions, and accessing secrets programmatically isn't too cumbersome. We also found that its pricing scales well with our usage, as opposed to some third-party services that can get expensive quickly.
What are the potential security risks of using environment variables? I understand it's a common practice, but are there any scenarios where this approach could still lead to exposure or misuse?
