In most web application which deals with a database, one has to enter the DB creds in a settings or config file, like DATABASES variable in settings.py in Django. What is the general practice to secure the creds such that only a selected few in the team knows the creds and even they are not able to connect to the DB with same creds(even from the same machine on which application is being run)?
Securing database username and password in a web framework
code-securitydesign-patternsSecurityweb-applications
Best Answer
Get the database to interface directly with the servers auth system. ie MSSQL can use the windows user the process runs as as the db access user
Put the production db settings in the deployment system. so only the ops team has access.
Encrypt the settings and put the decryption key on the production box.
But if you really want to be secure you have to be disciplined.
Tell developers that they are not allowed to know the passwords and that if they find them out they should report it so they can be changed.
Review auth logs and make sure the service users are only logging in from service boxes.
Give humans one time use username/passwords that they can activate and use in a properly audited way when manual intervention is required. Don't force them to break the rules to make things work.