Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What is the correct way to use config/credentials in Rails 6? And how do I stop my app from using /tmp/development_secret?

Tags:

ruby-on-rails

I'm working on a Rails application and I am attempting to organize my secret_key_base and related important secrets (Think API keys, database credentials, etc.)

I am trying to find a way to setup something like the following, under /config

/config
credentials.yml.enc
master.key

/config/credentials
development.yml.enc
development.key
production.yml.enc
production.key
test.yml.enc
test.key

First Question: Is it that secret_key_base exists in /config/credentials.yml.enc, which is loaded (first?) and then the credentials are loaded for the environment rails is running in? Or should I create a different secret_key_base for each environment?

Second Question: No matter what I do, when I run in development or test, tmp/development_secret loads first. In addition, whenever I try to access my secrets in development, (Rails.application.secret_key_base) as referenced here: What's the correct way of defining secret_key_base on Rails 6, I run into an issue where I only ever receive nil when looking for secrets I've defined in my development.yml.enc, which I assume is because it's not loading anything in that file, it's going to tmp/development_secret and not finding anything else (Maybe I'm wrong.)

Goals:

  • Stop tmp/development_secret from being created, and instead access secrets using the specific .yml.enc file depending on the environment.
  • Understand why /config/credentials.yml.enc exists if it doesn't load in all the environments. If it doesn't, then it isn't clear when it loads.

Why?

  • Using config/database.yml as an example, I want to store different creds for each environment, but none of them in version control. (I want nobody but a few to have production.) However, I want to access them the exact same way in all of my environments. Not having creds load in production because of an issue with a .yml file will crash my app, so I don't want to load them differently in test/development.
  • Put together a blog post about this because searching for documentation on this feature is painful. It's a really easy thing because then only the master.key, and production.key would need loaded as ENV variables which is great. (Or possibility just one of them.)

This really should be a simple, out-of-the-box thing, but it's hard to find real documentation on best practices.

like image 504
Aaron Avatar asked Feb 01 '26 07:02

Aaron

1 Answers

I've found the answer, at least the one I'm looking for. You can have your initializer load whatever file you want by overriding the defaults.

  config.credentials.content_path = 'config/credentials/development.yml.enc'
  config.credentials.key_path = 'config/credentials/development.key'

https://edgeapi.rubyonrails.org/classes/Rails/Application.html

like image 87
Aaron Avatar answered Feb 03 '26 01:02

Aaron
Sign in to Comment

Related questions

Double join with habtm in ActiveRecord
Speeding up XML to MySQL with Nokogiri in Rails
Setting tenant scope for DelayedJob
Rails convention confusion for altering config files

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!