[gerbilly]

I use something like this to set a few global variables at build time.

This keeps my secrets out of the source code.

go build \

    -ldflags="\

    -X main.programVersion=`git describe` \

    -X main.username=$USERNAME \

    -X main.password=$PASSWORD"

This isn't perfect, of course, because you can just use strings(1) to find the secrets embedded in the binary, but it is a step up from what they did.

It's fine for our internal go apps. I'm not sure what I would do if the secrets were for connecting to public cloud infrastructure though.

Perhaps encrypt them with a separate key per customer, then feed in the key via an env variable?

Any ideas?

[duncan-donuts]

I would read connection string information from the env. This[0] might be useful if you’re not familiar with 12 factor apps.

0: https://12factor.net/config

[CameronNemo]

An example configuration file is also acceptable. It is also less prone to leakage if your application runs other untrusted (or simply less trusted) code and does not sanitize the environment first.