I’ve been working on a Xamarin app using Azure Cognitive Services to do image recognition, and one of the stumbling blocks I’ve faced is what to do with my API keys. I want to make the app open source as an example of how to use these services, but don’t want to check my API keys into Git to be available to all - after all, bad things can happen.
I hit up twitter, and got a really awesome solution from Bart Lannoeye:
You can add the file with *your key here* then change locally and git update-index --assume-unchanged .\pathtofile. Shows file as unchanged => can't commit by accident. #protip We do the same for Kliva.
— Bart Lannoeye (@bartlannoeye) December 28, 2017
This is exactly what I did, and it works perfectly. I’ve created a static class called ApiKeys
which contains all my keys using “Your Key Here” values:
public static class ApiKeys
{
public static string PredictionKey = "<Your API Key>";
public static Guid ProjectId = Guid.Parse("<Your Project GUID>");
}
I then added this to Git and commited. After my commit I ran:
git update-index --assume-unchanged ./ApiKeys.cs
Done. I can then change the values to my actual API keys and Git doesn’t see the change.
Obviously if I need to add any more keys to this file I’d have to revert this change, remove all keys, add the new one with a “your key” type value, commit, re-run the update-index and put the keys back. A bit of work, but at least no worries about anyone abusing my API limits!
Thanks Bart!
Update - how to tell users what they need to do with this code
I’ve just had another great suggestion from Brandon Minnick, a fellow CDA here at Microsoft. He suggests adding a #error
to the keys file so that when someone grabs the code and builds it they get an error telling them what to do, rather than a crash when the app is run:
public static class ApiKeys
{
# error You need to set up your API keys.
// Start by registering for an account at https://customvision.ai
// Then create a new project.
// From the settings tab, find:
// Prediction Key
// Project Id
// and update the values below
public static string PredictionKey = "<Your Prediction Key>";
public static Guid ProjectId = Guid.Parse("<Your Project GUID>");
}
Update 2 - how to fix it if you forget and add your keys
Another great tip from Brandon Minnick is the BFG Repo-CLeaner. If you accidentally checked in some API keys, this tool can remove them from the Git history.
Obviously it could be too late by the time you realize, so if you check any API keys in to a public repo you MUST regenerate them as there are bots that can GitHub for API keys. But this is good for a private repo that you are planning to make public or accidentally add personal keys to.