How to deploy a flask application with a config file?

Question

I have a flask application and I use a config file with some sensitive information. I was wondering how to deploy my application with the config file without releasing the sensitive information it holds.

Answer 1

I have deployed my flask web app api on azure. I have lot of config files for that I have created a separate directory where I keep all my config files. This is how my project directory looks like

configs
   -> app_config.json
   -> client_config.json
logs
   -> app_debug.log
   -> app_error.log
data
   -> some other data related files
app.py

app.py is my main python file from which I have imported all the config files and below is how I use it

config_file = os.path.join(os.path.dirname(__file__), 'configs', 'app_config.json')

# Get the config data from config json file
json_data = open(config_file)
config_data = json.load(json_data)
json_data.close()

After this I can easily use config_data anywhere in the code:

mongo_db = connect_mongodb(username=config_data['MongoUsername'], password=config_data['MongoPassword'], url=config_data['MongoDBURL'], port=config_data['Port'], authdbname=config_data['AuthDBName'])

Answer 2

TLDR; Create a class to hold your config secrets, store the actual secrets in environment variables on your host machine, and read in the environment variables in your app.

Detailed implementation below.

This is my folder structure:

api
|_cofig
  |_config.py
|_app.py

Then inside of my app.py, which actually starts my Flask application, it looks roughly like this (I've excluded everything that doesn't matter).

from config.config import config
def create_app(app_environment=None):
    if app_environment is None:
        app = Flask(__name__)
        app.config.from_object(config[os.getenv('FLASK_ENV', 'dev')])
    else:
        app = Flask(__name__)
        app.config.from_object(config[app_environment])

if __name__ == "__main__":
    app = create_app(os.getenv('FLASK_ENV', 'dev'))
    app.run()

This allows you to dynamically specify an app environment. For example, you can pass the app environment by setting an environment variable and reading it in before you call create_app(). This is extremely useful if you containerize your Flask app using Docker or some other virtualization tool.

Lastly, my config.py file looks like this. You would change the attributes in each of my environment configs to your secrets.

import os

class ProdConfig:
    # Database configuration
    API_TOKEN = os.environ.get('PROD_MARKET_STACK_API_KEY_SECRET')


class DevConfig:
    # Database configuration
    API_TOKEN = os.environ.get('API_KEY_SECRET')

class TestConfig:
    # Database configuration
    API_TOKEN = os.environ.get('MARKET_STACK_API_KEY')

config = {
    'dev': DevConfig,
    'test': TestConfig,
    'prod': ProdConfig
}

Further, you would access your config secrets throughout any modules in your Flask application via...

from flask import current_app
current_app.config['API_TOKEN']`

Answer 3

I believe the answer to your question may be more related to where your application is being deployed, rather than which web-framework you are using.

As far as I understand, it's a bad practice to store/track sensitive information (passwords and API keys for example) on your source files and you should probably avoid that.

If you have already commited that sensitive data and you want to remove it completely from your git history, I recommend checking this GitHub page.

A couple of high level solutions could be:

1. Have you config file access environment variables instead of hard coded values.
2. If you are using a cloud service such as Google Cloud Platform or AWS, you could use a secret manager to store your data and fetch it safely from your app.
3. Another approach could be storing the information encrypted (maybe with something like KMS), and decrypt it when needed (my least favorite).