Back to Details

secrets-management

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Secrets Management Skill

密钥管理Skill

When to Activate

激活时机

Activate this skill when:
  • Setting up API keys or credentials
  • Creating secrets.json files
  • Implementing secrets loading patterns
  • Working with .env files
  • Integrating external APIs requiring authentication
  • Ensuring credentials are not committed to git
当以下情况时激活此Skill:
  • 设置API密钥或凭证
  • 创建secrets.json文件
  • 实现密钥加载模式
  • 处理.env文件
  • 集成需要身份验证的外部API
  • 确保凭证不会提交到git

Core Principles

核心原则

Security Fundamentals

安全基础

  • NEVER hardcode API keys in source code
  • ALWAYS add secrets.json to .gitignore immediately
  • ALWAYS provide a secrets_template.json for setup reference
  • Use environment variable fallbacks for CI/CD compatibility
  • 绝不在源代码中硬编码API密钥
  • 务必立即将secrets.json添加到.gitignore
  • 务必提供secrets_template.json作为设置参考
  • 使用环境变量回退以兼容CI/CD

Standard File Structure

标准文件结构

project/
├── secrets.json          # Actual secrets (NEVER commit)
├── secrets_template.json # Template with placeholder values (commit this)
├── .gitignore           # Must include secrets.json
└── .env                 # Alternative for env vars (also gitignored)
project/
├── secrets.json          # Actual secrets (NEVER commit)
├── secrets_template.json # Template with placeholder values (commit this)
├── .gitignore           # Must include secrets.json
└── .env                 # Alternative for env vars (also gitignored)

Implementation Pattern

实现模式

secrets.json Format

secrets.json格式

json
{
  "anthropic_api_key": "sk-ant-api03-...",
  "openrouter_api_key": "sk-or-v1-...",
  "openai_api_key": "sk-...",
  "database_url": "postgresql://user:pass@localhost/db",
  "comment": "Add your API keys here. Keep this file private."
}
json
{
  "anthropic_api_key": "sk-ant-api03-...",
  "openrouter_api_key": "sk-or-v1-...",
  "openai_api_key": "sk-...",
  "database_url": "postgresql://user:pass@localhost/db",
  "comment": "Add your API keys here. Keep this file private."
}

Python Loading Pattern

Python加载模式

python
import os
import json
from pathlib import Path

def load_secrets():
    """Load secrets from secrets.json with env var fallback."""
    secrets_path = Path(__file__).parent / "secrets.json"
    try:
        with open(secrets_path, 'r') as f:
            return json.load(f)
    except (FileNotFoundError, json.JSONDecodeError):
        return {}

SECRETS = load_secrets()
python
import os
import json
from pathlib import Path

def load_secrets():
    """Load secrets from secrets.json with env var fallback."""
    secrets_path = Path(__file__).parent / "secrets.json"
    try:
        with open(secrets_path, 'r') as f:
            return json.load(f)
    except (FileNotFoundError, json.JSONDecodeError):
        return {}

SECRETS = load_secrets()

Use with environment variable fallback

Use with environment variable fallback

API_KEY = SECRETS.get("anthropic_api_key", os.getenv("ANTHROPIC_API_KEY", ""))
undefined
API_KEY = SECRETS.get("anthropic_api_key", os.getenv("ANTHROPIC_API_KEY", ""))
undefined

Setup Checklist

设置检查清单

  1. Create secrets_template.json with placeholder values
  2. Copy to secrets.json and add real credentials
  3. Add secrets.json to .gitignore
  4. Implement secrets loading in application
  5. Verify git status shows secrets.json as untracked
  1. 创建包含占位符值的secrets_template.json
  2. 复制为secrets.json并添加真实凭证
  3. 将secrets.json添加到.gitignore
  4. 在应用中实现密钥加载逻辑
  5. 验证git状态显示secrets.json为未追踪文件

Security Best Practices

安全最佳实践

DO ✅

建议✅

  • Store keys in secrets.json
  • Add to .gitignore immediately
  • Provide template files for setup
  • Use environment variable fallbacks
  • Rotate keys after team changes
  • 将密钥存储在secrets.json中
  • 立即添加到.gitignore
  • 提供设置用的模板文件
  • 使用环境变量回退机制
  • 团队变动后轮换密钥

DON'T ❌

禁止❌

  • Hardcode API keys
  • Commit actual credentials
  • Log full API keys
  • Share keys via email/chat
  • 硬编码API密钥
  • 提交真实凭证
  • 记录完整的API密钥
  • 通过邮件/聊天分享密钥

Key Format Reference

密钥格式参考

ProviderFormat
Anthropic
sk-ant-api03-...
OpenRouter
sk-or-v1-...
OpenAI
sk-...
AWS Access
AKIA...
服务商格式
Anthropic
sk-ant-api03-...
OpenRouter
sk-or-v1-...
OpenAI
sk-...
AWS Access
AKIA...

Related Resources

相关资源

See 
AgentUsage/secrets_management.md
for complete documentation including:
  • Advanced loading patterns with validation
  • .env file integration
  • Automated testing patterns
  • Emergency key rotation procedures
  • Production deployment strategies
查看
AgentUsage/secrets_management.md
获取完整文档,包括:
  • 带验证的高级加载模式
  • .env文件集成
  • 自动化测试模式
  • 紧急密钥轮换流程
  • 生产环境部署策略