Simple Way To Protect Your API Key
How does this sound? … You find a great API to use for an app idea, you create the app, push your files to GitHub, and the next thing you know is you get fined for having your API key out in the open because someone eventually stole it.
Not so good huh? Well, that leads me for the creation of this post. As a new student in Flatiron’s bootcamp, I came to the point where I had to create an app with my group using an API. As a Flatiron student finishing the first module, I can confidently say the curriculum focuses on Ruby. However, I’m writing this with the hope that it will come in handy for anyone new to programming.
Although there are countless resources all over the internet about how to hide your API keys from prying eyes, my group and I noticed we made a dire mistake… long after it was made.
Thankfully the damage wasn’t done, and changes were made so that the credentials wouldn’t be visible to the public.
Unfortunately, there have been cases where new developers are fined for the same mistake. For example, on July 2, 2018, a developer was fined $14,000.00 for having an Amazon Web Services API on his GitHub repository.
Not saying that every fine will be $14 Grand, but hey!… 14 G’s is a lot of money especially in this “pandemic economy”. So to protect your pockets, here are the steps you must take in order to keep API keys secured.
1. In your code-editor (for this example, I will be using Visual Studio Code) open up the Gemfile, and insert the following gem, as indicated in line 10 in the picture below:
gem ‘dotenv’
2. Then in your terminal, make sure you’re in the correct directory and run:
bundle install
3. Next, create a (.env) file as a top level file within your code editor. In this file, we’ll create a variable and set that equal to the API key.
4. After creating a variable set to your key, go to the file where you will be running your tests. In this case, I will move into the seeds.rb file.
- Once you’re inside your testing file, include the following code somewhere in the file, as shown below:
a = ENV[“any_variable”]
- The “a” can be any variable, and I included it for testing purposes. It isn’t required.
o For example, if you’d like to include a “binding.pry” underneath the code and perform a test to make sure if the variable “a” is equal to your API key, you can test it this way.
- The code on the right side of the equals operator is essential.
- Within the brackets I included “any_variable”
o Refer to the previous step, where we had set the API key equal-to the variable “any_variable”
o Any_variable is the API key
§ This serves as an initial security measure
5. Almost done! Next, move into the environment.rb file and include the following code:
- Line 2 in the picture below
require ‘dotenv/load’
6. Finally, make a .gitignore file and place the .env file name within .gitignore:
- Make a file: .gitignore
- Enter the .gitignore file and place the following line inside: .env
Once you include the .env filename inside .gitignore, notice that the color of the top-level .env file will become dark grey. This is an indication that once you upload the code onto a repository like Github, the .env file will not be visible to anyone online.
The .env file is where your API key was, and since no one can see the .env file, no one can peek at your API key.
Secure key… no fines.
Resources:
https://dev.to/juanmanuelramallo/i-was-billed-for-14k-usd-on-amazon-web-services-17fn
https://softwareengineering.stackexchange.com/questions/395128/why-must-api-keys-be-kept-private
https://dev.to/kcarrel/major-key-alert-hide-your-api-keys-l4c
https://cloud.google.com/endpoints/docs/openapi/when-why-api-key
