Ruby on Rails

Managing Application Secrets with Ruby on Rails Credentials

Managing application secrets in Ruby on Rails applications is now easily achieved and accomplished through the use of Rails credentials, a new feature as of Rails 5.2, which will replace config/secrets.yml and config/secrets.yml.enc. While there have been previous implementations, the newest is the simplest and by convention, allows for the committing of encrypted secrets into a code repository, but avoiding the committing of the master key. Credentials are stored in a new YAML file config/credentials.yml.enc, which is encrypted with a master key that is stored in config/master.key and which by default will be listed in the .gitignore file to avoid committing it to source code.

Usage

To get started, use at least a version of Ruby on Rails 5.2, which by default creates both the credentials.yml.enc and master.key files in the /config directory. If you want to start from scratch, you can delete both of these files and simply do:

# EDITOR=vim rails credentials:edit

If you don't delete them, the same command will open the existing YML file where you can start adding credentials. So for example, if you want to use AWS credentials, they might look like this:

aws:
  access_key_id: ef62378129
  secret_access_key: 8239327feee

The credentials can now be accessed in your code by:

<%= Rails.credentials.aws[:access_key_id] %>
<%= Rails.credentials.aws[:secret_access_key] %>

In Production you'll need a way to access the Master key, which can stored in the RAILS_MASTER_KEY environment variable.


Carson R Cole