Following the patterns outlined for 12-Factor Apps would it be possible to move closer to having backing services credentials stored in the run-time environment and not the code ?
The desire is to have “get twitter api key” and not have to manage in code if its “get development twitter api key” or “get production twitter api key”
The suggestion from anvil support is as follows:
For example, if your development app id was 'ABCDEFGHIJKL', you could define a function called `load_secrets`:
def load_secrets():
if anvil.app.id == "ABCDEFGHIJKL":
data_key = anvil.secrets.get_secret('dev_data_key')
else:
data_key = anvil.secrets.get_secret('prod_data_key')
return data_key
I suggest exploring options where the application code does not need to know which key id to look up (i.e. avoid “Get development twitter api key”)
Two suggestions:
(1) Prepend the app id the secrets section of the YAML
ABCDEFGHIJKL_secrets:
my_api_key:
value: {? '' : encrypted_key_value_for_env_1}
type: secret
MNOPQRSTUVWXYZ_secrets:
my_api_key:
value: {? '' : encrypted_key_value_for_env_2}
type: secret
then you can fetch the DEV anvil.yaml, via git, and include both secret libraries in a single yaml, and Anvil will load the right one at start up.
(2) Add AppId as a field in the Secrets yaml spec (variation on the above)
secrets:
ABCDEFGHIJKL:
my_api_key:
value: {? '' : encrypted_key_value_for_env_1}
type: secret
MNOPQRSTUVWXYZ:
my_api_key:
value: {? '' : encrypted_key_value_for_env_2}
type: secret
in both cases, the secret services loads the dictionary of encrypted values based on anvil.app_id
and the application code is simply
anvil.secrets.get_secret('my_api_key')
Thanks for any consideration.
Cheers,
Tyler