Use docker secrets in Django application

Recently I needed to deploy a Django application to Docker Swarm and I wanted to used built-in feature to store secrets. Setting the secrets is pretty easy just following the docker documentation:

openssl rand -base64 40 | docker secret create django_secret -

The secrets have to be declared in docker-compose.yml to be available in the container.

version: "3.8"

services:
  django:
    command: gunicorn wsgi:application --bind 0.0.0.0:8100
    environment:
      SECRET_KEY: /run/secrets/django_secret
    secrets:
      - django_secret

secrets:
  django_secret:
    external: true

The value of the secret is available in the container as a content of the file /run/secrets/django_secret. The settings.py file needs to be updated with a simple function to read the value of the secret either from environment variable or the file.

import os

def get_secret(key, default):
    value = os.getenv(key, default)
    if os.path.isfile(value):
        with open(value) as f:
            return f.read()
    return value

SECRET_KEY = get_secret("SECRET_KEY", "")

Using this approach the secrets can be declared either as an environment variable or a docker secret which is very convenient both for development and production deployments.

References