How to handle sensitive values in config.yml?

[donhector]

Problem

Several comment providers require defining sensitive values (ie credentials, api keys, etc...) in your config.yaml. If you were to commit config.yaml then you just leaked your secrets to the public.

What's your recommended way to handle this scenario in a secure maner?

My suggestion

I can think of environment variables as one way to fix the problem.

For example, in \layouts\partials\comments\provider\disqusjs.html the Go template should try to grab the ApiKey value from the environment and if it is not there, then proceed as usual and grab it from config.yaml (i.e: keeping backwards compatibility)

This would work very well when building locally or via Github worklfows:

• Locally

  • Have a gitignored .env file containing all the secrets, and then source its contents before building.

    .env

    HUGO_DISCUSJS_APIKEY=abcd1234

• Github Workflow

  • Configure the sensitive values as Github Secrets, then in the workflow pass them using the env keyword.

    .github/workflows/build.yaml

    [...]
       - name: Build
         run: hugo --minify
         env:
             HUGO_DISCUSJS_APIKEY: "${{ secrets.HUGO_DISCUSJS_APIKEY }}"
    [...]

    This way no sensitive info would be committed to Git.

  How would other folks approach this problem?

[CaiJimmy]

If you were to commit config.yaml then you just leaked your secrets to the public.

Those API keys will still be exposed in the front end, anyone who can access your website can see it through the view source option.

[donhector]

Thanks for the insight 👌 Looks like there's no easy way to solve the problem then. And if there is, it probably goes beyond the scope of this theme and more into Hugo's internals. BTW, after reading Hugo's docs, Hugo already exposes any keys present in config.yaml as environment variables following the naming convention HUGO_<KEY>_<SUBKEY>_<SUBSUBKEY>... https://gohugo.io/getting-started/configuration/#configure-with-environment-variables

…

On Mon, Jul 4, 2022, 00:13 Jimmy Cai ***@***.***> wrote: If you were to commit config.yaml then you just leaked your secrets to the public. Those API keys will still be exposed in the front end, anyone who can access your website can see it through the view source option. — Reply to this email directly, view it on GitHub <#635 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAS4K4YPJPTMURAWX4R3UA3VSIGABANCNFSM52G5O5DQ> . You are receiving this because you authored the thread.Message ID: ***@***.*** com>

[liopeer]

Hey @donhector, did you manage to solve this? I would also like to include e.g. google analytics with Hugo, but exposing the API key is of course also not an option.

[CaiJimmy]

Hi @liopeer, using Google Analytics should only include the tracking code. This is not sensitive data for the public.

[liopeer]

Hi @liopeer, using Google Analytics should only include the tracking code. This is not sensitive data for the public.

Oh, I wasn't aware of that. Thank you very much!