Storing credentials **securely** (and **not hardcoding them**) is a critical part of building production-grade systems. Hardcoding secrets like database passwords or AWS keys can lead to serious security vulnerabilities, especially if the code is shared or pushed to version control systems like GitHub.

---

## ✅ Best Practices to Store Credentials Securely

---

### 🔐 1. **Environment Variables (Recommended)**

Use `.env` files for development and environment variables in production.

#### a. Create a `.env` file:

```env
MYSQL_USER=root
MYSQL_PASSWORD=secret123
MYSQL_HOST=localhost
MYSQL_DB=mydb

MONGO_URI=mongodb://localhost:27017
MONGO_DB=mydb
MONGO_COLLECTION=mycollection

AWS_ACCESS_KEY=your_aws_key
AWS_SECRET_KEY=your_aws_secret
AWS_BUCKET=my-s3-bucket
```

> **❗ Never commit `.env` files to version control.** Add them to `.gitignore`.

#### b. Load `.env` using `python-dotenv`:

Install the package:

```bash
pip install python-dotenv
```

Then in your Python code:

```python
from dotenv import load_dotenv
import os

load_dotenv()  # Load from .env into environment variables

mysql_user = os.getenv("MYSQL_USER")
mysql_password = os.getenv("MYSQL_PASSWORD")
```

---

### 🛡️ 2. **Use IAM Roles for AWS (for EC2, Lambda, etc.)**

If your code runs on **AWS services (EC2, Lambda, etc.)**, **never** use hardcoded keys.

✅ Instead, use **IAM roles** attached to the instance or function. AWS will inject temporary credentials automatically.

---

### 🧊 3. **Secrets Managers (Advanced, Production)**

Use services like:

* **AWS Secrets Manager**
* **HashiCorp Vault**
* **Azure Key Vault**
* **GCP Secret Manager**

These allow you to:

* Store secrets securely
* Rotate them automatically
* Access via SDK/API

#### Example (AWS Secrets Manager):

```python
import boto3
import json

def get_secret():
    client = boto3.client('secretsmanager')
    secret = client.get_secret_value(SecretId='my_secret_name')
    return json.loads(secret['SecretString'])
```

---

### 📦 4. **Configuration Files with Safe Handling**

If you must use config files (e.g., `config.yaml`), store them **outside the codebase** and **never push them to GitHub**.

```yaml
# config.yaml
mysql:
  user: root
  password: secret
  host: localhost
  db: mydb
```

Load with PyYAML:

```python
import yaml

with open("config.yaml") as f:
    config = yaml.safe_load(f)

mysql_user = config['mysql']['user']
```

---

### 🚨 5. **Never Do This in Production:**

```python
# ❌ Bad practice
mysql_user = "admin"
mysql_password = "password123"
```

---

### 🔐 6. **Git Ignore Sensitive Files**

Add sensitive files like `.env` or `config.yaml` to `.gitignore`:

```gitignore
.env
config.yaml
```

---

## 🧠 Summary

| Method                | Use Case               | Security Level |
| --------------------- | ---------------------- | -------------- |
| `.env` + dotenv       | Local/dev environments | ✅ Good         |
| Environment variables | All environments       | ✅✅ Better      |
| IAM Roles             | AWS infra              | ✅✅✅ Best       |
| Secrets Manager       | Production apps        | ✅✅✅ Best       |

---

