"Required key" check conflicts with best practice of keeping credentials out of VCS

[aaronbauman]

The "required key" check in \CommerceGuys\AuthNet\Configuration::__construct() enforces valid credentials - that makes sense.

On my Drupal site, I'd like to configure these values through settings.php + environment varialbe, and removing them from my config set, so that the sensitive info doesn't go into VCS.

Unfortunately, authnet will not allow this, throwing an InvalidArgumentException during config import.

What is the suggested workaround?
Is this fixable with existing code, or does this require a patch?

[scottsawyer]

In some circumstances, it's easy enough to set dummy values in the config, but in others, such as when using the Key module and key_overrides and letting the module set the config values to NULL, it does cause a problem when importing. Another feature that would be nice would be to have the API keys on a separate form so that you can actually change other settings on the form.

[mglaman]

If you're using Drupal + config overrides, I'm not sure how you're having this issue? You provide config overrides and it's not in VCS.