Pantheon Community

How to best store secrets for AWS Cognito on Pantheon? Looking for support

What’s the best way to store a secret on pantheon (that doesn’t want to pay for LOCKR)?

Can I add a file in /sites/default/secretfilename.php
and then in my .gitignore hide that file from git?

And then SFTP it in to place where I need it?

And then include it in settings.php like we do for settings.local.php?

Or is that gonna piss off pantheon’s git?


Depending on your environment we recommend keeping that kind of data in one of these paths:

  • wp-content/uploads/private (WordPress)
  • /wp-content/uploads/private/sites/<blog_id>/ (WordPress Multisite)
  • sites/default/files/private (Drupal)

Those locations are not web accessible and are not tracked in git.
They are do get moved through environments when assets are clones so just be aware that that data will be on all 3 envs.

1 Like