In today's network engineering world, automation is incredibly important. It helps make tasks smoother, faster, and more efficient. Python has become a top choice for automating network tasks due to its versatility and extensive range of libraries. However, handling sensitive information like passwords and special keys securely within automation scripts can be challenging for newcomers. In this blog, we'll delve into how Python dotenv simplifies this process, making network automation safer and more manageable.

Python-dotenv is a popular library that simplifies the management of environment variables in Python applications. It allows you to store configuration settings in a .env file and easily load them into your script. This means you can keep sensitive information out of your source code and version control, reducing the risk of exposure.

• Follows 12-factor principles: Python-dotenv adheres to the 12-factor principles for building scalable and maintainable applications, ensuring consistency and reliability.
• Simplifies development and testing: By enabling the use of different .env files for specific environments (e.g., development, production), Python-dotenv streamlines the development and testing process.
• Supports various formats: It supports variable expansion, multiline values, and comments in the .env file format, providing flexibility and ease of use.
• Cross-platform compatibility: Python-dotenv is compatible with any system, allowing for seamless integration across different environments.
• Integration with other Python libraries: It integrates well with other Python libraries and frameworks, such as Flask, Django, and IPython, enhancing its versatility and utility.

To begin using Python-dotenv in your projects, you'll first need to install it via pip:

pip install python-dotenv

Once installed, you can create a .env file in the root directory of your project to store your environment variables. Here's an example of what a .env file might look like:

SSH_USERNAME=admin
SSH_PASSWORD=cisco123

Remember, each line in the .env file represents a single environment variable, with the key and value separated by an equals sign =. It's essential to keep your .env file secure and out of version control by adding it to your .gitignore file.

With the .env file in place, you can load the environment variables into your Python script using Python-dotenv. Here's how you can do it:

import os
from dotenv import load_dotenv

# Load environment variables from .env file
load_dotenv()

# Access environment variables
ssh_user = os.getenv("SSH_USERNAME")
ssh_password = os.getenv("SSH_PASSWORD")

By using os.getenv(), you can retrieve the values of your environment variables within your script securely.

You can use comments in your .env file by prefixing a line with the pound (#) character. Comments are ignored by python-dotenv when it loads the environment variables from the file. Here's an example of how to use comments in your .env file:

# Credentials
SSH_USERNAME=admin
SSH_PASSWORD=cisco123

# API Configuration
API_SECRET=0987654321fedcba

Alternatively, we can use os.environ.get() from os module to access environment variables directly without python-dotenv. This approach is useful when we want to avoid an extra dependency.

Now, let's create a Python script to automate the backup process using the environment variables from the .env file:

# Import necessary modules
import os
import paramiko
from dotenv import load_dotenv

# Load environment variables from .env file
load_dotenv()

# Function to connect to device and retrieve configuration
def backup_config():
    # Get environment variables
    device_ip = os.getenv("DEVICE_IP")
    ssh_username = os.getenv("SSH_USERNAME")
    ssh_password = os.getenv("SSH_PASSWORD")

    # Connect to the device
    ssh_client = paramiko.SSHClient()
    ssh_client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
    ssh_client.connect(hostname=device_ip, username=ssh_username, password=ssh_password)

    # Execute command to retrieve configuration
    stdin, stdout, stderr = ssh_client.exec_command("show running-config")
    config = stdout.read().decode()

    # Save configuration to a file
    with open(f"{device_ip}_config.txt", "w") as file:
        file.write(config)

    # Close SSH connection
    ssh_client.close()
    print(f"Configuration backup for {device_ip} completed.")

# Execute the backup_config function
if __name__ == "__main__":
    backup_config()

When you run this script, it will load the environment variables from the .env file and use them to connect to the device via SSH. It will then retrieve the running configuration and save it to a file named after the device's IP address.

By using python-dotenv, you can keep your credentials and device information secure in the .env file, separate from your codebase. This makes it easier to manage configurations and ensures that sensitive information is not exposed in your scripts.

Credits/Resources

1. Hiding Passwords and Secret Keys in Environment Variables (Mac & Linux)
2. Hiding Passwords and Secret Keys in Environment Variables (Windows)
3. Securely Manage Passwords and API Keys with DotEnv