Handbook
Testing vendor APIs with live credentials
Goals
Provide examples of how to use API credentials, to encourage good credential hygiene amongst Login.gov engineers.
See also: TTS Handbook page on Sensitive Information
Approved places to put credentials
- Google Docs (with limited visibility/permissions)
- Google Sheets (with limited visibility/permissions)
- Google Chat (not persisted)
- S3 config YMLs
- AWS Secrets Manager
Do’s
- Only share credentials via approved places to put credentials
- Develop iteratively
- Reference only fragments of keys (“API key ending in
...xyz123”)
Don’ts
- Do not share credentials in Slack (FOIA-able)
- Do not store credentials on developer laptops at all
- Do not commit credentials to source
Example Workflow
Goal: test against a brand new partner API using live credentials for their test/sandbox/staging environment
Note: Production credentials and sending production data should only happen in the production environment (prod, staging, dm)
- Write code locally, read secrets from
IdentityConfig.store.xyz - Upload actual credentials to S3 YML in a sandbox env (for test credentials) or prod env (for live credentials), use app-s3-secret
- Open a remote rails console, ssm-instance rails-c
- Manually paste in code to that Rails console (monkey patching)
- Run the code in that Rails console
- (repeat step 4-5 as needed to iterate)