rails, api keys, secrets,

Swapnil Gourshete Swapnil Gourshete Follow Jul 04, 2020 · 2 mins read
Rails 6 - Managing API keys using 'credentials'
Share this

How do you manage application secret keys? We cannot commit them in Version Control System (like github), it is too dangerous.

In the era of docker-kubernetes we make them available as environment variables using kubernetes secrets & then application code picks up from there. This way is okay but becomes lengthy when number of secrets keys goes up.

Let’s talk about rails credentials now - the way for managing secret keys in the rails eco system itself. How different this approach is? Well, it stores secret keys in application code itself, but those are encrypted and needs a master key to decrypt. So, we can place just one secret key i.e. master key outside of VCS. Isn’t it good?

  • Create/edit credentials
EDITOR='VIM' rails credentials:edit

This will create two files credentials.yml.enc & master.key and open up decrypted credentials.yml.enc

aws:
   access_key_id: AWSACCESSKEYID
   secret_access_key: AWSSECRETACCESSKEY

# Used as the base secret for all MessageVerifiers in Rails, including the one protecting cookies.
secret_key_base:

This file will be encrypted again before saving. Note do not commit master.key file. The only key that would stored out of VCS is master key. There are multiple ways to achieve it.

  • Accessing these in rails environment as
 > Rails.application.credentials.config
 => {:aws=>{:access_key_id=>AWSACCESSKEYID, :secret_access_key=>AWSSECRETACCESSKEY}}



Adding Environment wise Credentials

We can also keep dev, staging & production env wise separate credential files. Let’s create it for development environment as -

> rails credentials:edit --environment development

It will open up in a default editor like

aws:
   access_key_id: 123
   secret_access_key: 456

Put in secrets in here & then can be simply accessed in application as

 > Rails.application.credentials.config
 => {:aws=>{:access_key_id=>"DEVELOPMENT_KEY", :secret_access_key=>"DEVELOPMENT_ACCESS_KEY"}}


  • The best thing I liked was this

Even if you forget to remove secrets key file it will no be added to VCS as rails has moved it to gitignore.

Thanks for reading.

References -

  • Saeloun Blog on rails credentials

  • Medium Blog on environment wise credentials


Swapnil Gourshete
Written by Swapnil Gourshete Follow
Hi I am Swapnil, a Software Engineer and computer science enthusiastic
Setting up Rails Performance dashboard with influxdb and grafana
Rails 6.1 - adds defaults value to enum