10

Im using Python and Django to create a Heroku web app and Heroku gives me this error after the command 'git push heroku master': ModuleNotFoundError: No module named 'dlist.secret_settings' when attempting to do this:

#settings.py
from .secret_settings import *  
# from secret_settings.py import * doesn't work for some reason.

Here is what secret_settings.py (which is in the same folder as settings.py) contains:

#secret_settings.py
SECRET_KEY = 'string here'

The problem is, this works when I test my web app on my local server (ie http://127.0.0.1:8000/), but its not working when I push these changes to Heroku. All I want to do is hide my SECRET_KEY, per others advice, as you can see. Ive looked at others suggestions and I can't seem to figure it out, choosing this method because it was understandable. Very frustrating. Beginner friendly answers/steps are greatly appreciated.

xv8
  • 183
  • 2
  • 11

1 Answers1

20

I'm guessing you've configured Git to ignore secret_settings.py. That's the only reason I can think of to create a separate file.

Heroku deploys are powered by Git. Since secret_settings.py isn't tracked by Git it doesn't get pushed to Heroku. You could add the file to your repository, but that would defeat the purpose of having a separate untracked file in the first place.

The solution is to use an environment variable. This is well-supported on Heroku.

In your settings.py file, set your SECRET_KEY using os.getenv() like this:

import os

SECRET_KEY = os.getenv('SECRET_KEY', 'Optional default value')

This tells Django to load your SECRET_KEY setting from an environment variable called SECRET_KEY. If no such environment variable exists it will fall back to the optional default value. On your development machine it's probably fine to use the default.

Finally, set the SECRET_KEY environment variable on Heroku. You can do this by running heroku config:set SECRET_KEY="YOUR_SECRET_KEY_VALUE" on your development machine, or via Heroku's web-based dashboard.

Your secret_settings.py file is no longer required.

ChrisGPT was on strike
  • 127,765
  • 105
  • 273
  • 257
  • Thanks Chris that helps immensely, the documentation wasn't clear to me. One follow up question is if its secure to include my original `SECRET_KEY` in the second argument in `os.getenv` (ie the Optional default value) if I'm committing it to a public repo? If its not secure should I just use `SECRET_KEY = os.getenv('SECRET_KEY')` in `settings.py`? I guess the question really is if the 1st argument in `os.getenv` is the **only** authentic `SECRET_KEY` on the web app if its included, but if its not included and your on the development machine, it will instead use the second argument? – xv8 Dec 23 '17 at 04:52
  • @reedx8, if you include your real secret key as the second argument it will be visible to the world in your public repository. That's probably not what you want. You can use `os.getenv('SECRET_KEY')`, but then you'll need to set a `SECRET_KEY` environment variable in _all_ of your environments (your development machine, any test or staging environments you may have, etc.). It's probably easier to include a dummy value as a default value, though of course it's possible to set environment variables everywhere. I've added a link to the docs for `os.getenv()`. – ChrisGPT was on strike Dec 23 '17 at 12:16