Python - Hiding the API Key in Environment Variables

APIs and Authentication

When we access an API with a script, we usually need to authenticate first. This will usually be in the form of an API key. You may retrieve this key from a device or service using a script, postman, or from a website.

This key is as powerful as a username and password, so it must be kept secure. So how do we use this in a script? Often it’s ‘hard-coded’ into the script, but that has serious downsides. For one, other people will likely read your code. For another, if your script is stolen (or accidentally shared?) others can read it.

One way we can improve security is to generate the key with limited access to the system. For example, if we only need to read, then give the key read-only access. This limits the impact if the key is stolen.

That won’t always work though, as sometimes we need full access. So, one alternative is to store API keys in the Operating System’s environment variables. These are variables that your OS maintains, separate to Python or any other language. This includes things like the PATH variable.

The advantage of this method is that you don’t need to store the key in your script, or in a text file. Your script can, if run with the right privileges, read the key from the OS.

I’d like to point out that this isn’t a perfect system. It is only as secure as the computer/server that you’re using, and the Operating System on it. If your computer is compromised by an attacker, they can, in theory, steal your API key. However, it’s still safer than storing the key in your script!

Store the Key

Linux

You can add global environment variables by editing /etc/environment. For example:

device01="API key goes here"

This file is read when a user logs in. So, once that’s saved, you have two options to apply the changes:

Log off and back on
Reboot the server

Some people say you can run source /etc/environment. However, this is not a script so that won’t work.

To confirm this has worked, you can run printenv.

Windows

Step 1

The first step is to obtain your API key. You can do this as normal, using a script, Postman, or some other method.

Remember that this is like a password, so if you write it down anywhere, remember to keep it safe.

Step 2

Now we create the environment variable. In Windows 10:

Right-click the start button, and click system. A settings window will open
Near the bottom of the settings window, click Advanced system settings
At the bottom of the System Properties window (Advanced tab), click Environment Variables
In the User Variables section, click New
Enter a Variable Name, such as API_Key
Enter your key as the Variable value

Retrieve the Key

Now we can retrieve the key in Python. This uses the os module; A portable way of accessing Operating System features. That just means we can access things like environment variables, whether we’re using Windows or Linux.

import os
key = os.environ.get('API_Key')

It’s really that easy! Just two lines! Whenever you need to send a request to your API, you can include the value in the key variable.

Take note, you can use Python to create or modify these variables, but they’re only valid for the session. They’re not persistent across sessions.