Managing Application Secrets with Ruby on Rails Credentials
Managing application secrets in Ruby on Rails applications is now easily achieved and accomplished through the use of Rails credentials, a new feature as of Rails 5.2, which will replace
config/secrets.yml.enc. While there have been previous implementations, the newest is the simplest and by convention, allows for the committing of encrypted secrets into a code repository, but avoiding the committing of the master key. Credentials are stored in a new YAML file
config/credentials.yml.enc, which is encrypted with a master key that is stored in
config/master.key and which by default will be listed in the .gitignore file to avoid committing it to source code.
To get started, use at least a version of Ruby on Rails 5.2, which by default creates both the
master.key files in the
/config directory. If you want to start from scratch, you can delete both of these files and simply do:
# EDITOR=vim rails credentials:edit
If you don't delete them, the same command will open the existing YML file where you can start adding credentials. So for example, if you want to use AWS credentials, they might look like this:
aws: access_key_id: ef62378129 secret_access_key: 8239327feee
The credentials can now be accessed in your code by:
<%= Rails.credentials.aws[:access_key_id] %> <%= Rails.credentials.aws[:secret_access_key] %>
In Production you'll need a way to access the Master key, which can stored in the
RAILS_MASTER_KEY environment variable.
Carson R Cole