内容简介:The credentials feature is a way of storing secrets that you don’t want to keep in plaintext, like AWS credentials for example. (In fact, the one and only thing I keep in my main Rails project’s credentials are my Active Storage AWS credentials.)I personal
What this feature is for
The credentials feature is a way of storing secrets that you don’t want to keep in plaintext, like AWS credentials for example. (In fact, the one and only thing I keep in my main Rails project’s credentials are my Active Storage AWS credentials.)
Why the credentials feature is difficult to learn about
I personally have found Rails credentials really hard to understand. I think there are three reasons why this is.
- The official Rails docs about the credentials feature are a little terse and not easily discoverable.
- The feature changed somewhat drastically from Rails 4 to Rails 5, even changing names from “secrets” to “credentials”.
- I only need to use the feature once in a while, when I’m deploying an application for the first time, meaning there’s lots of time in between to forget everything I knew.
How to work with credentials without frustration
There are perhaps five important things to understand about credentials:
secrets.yml
Credentials are stored in config/credentials.yml.enc
At the risk of stating the obvious, your secrets are stored in config/credentials.yml.enc
. That file is encrypted.
There of course needs to be a way to securely decrypt this encrypted file. That’s done using something called a master key
. The master key is just a hash string that gets stored in one of two places: a file called config/master.key
(which should NOT be committed to version control) or a RAILS_MASTER_KEY
environment variable.
The development master key and production master key are the same
A key thing to understand, which I found counterintuitive, is that the master key you use in production should be the same as the master key you use in development
. If your development master key is stored in config/master.key
, create an identical config/master.key
on production, containing the same exact key. If your development master key is stored in the RAILS_MASTER_KEY
environment variable, set the production RAILS_MASTER_KEY
to the exact same value.
I found this counterintuitive because usually I try to make all my passwords, etc. different for each environment I have. I thought I would need to create a different master key for my production environment. No, I need to not create a different master key.
The credentials.yml.enc file is edited in a special way
Since it’s encrypted, the config/credentials.yml.enc
file can’t be edited directly. It can only be edited using the rails credentials:edit
command.
What often throws me for a loop is that a prerequisite to using rails credentials:edit
is having the EDITOR
environment variable set, which on a fresh production machine I usually don’t. I’m aVim guy, so I run export EDITOR=vim
and then I’m good to go. Then I can run rails credentials:edit
and the command will open the credential file, decrypted, in Vim.
secrets.yml is obsolete
If you find something online that refers to secrets.yml
, you’re looking at an old post. Before Rails 5.2
, there was a secrets.yml
and secrets.yml.enc
instead of the new credentials-related files. Don’t make the mistake of conflating Rails secrets with Rails credentials (like I did several times before learning better!).
The steps for setting up credentials in production
-
Take the same master key you’re using in development and put it either in
config/master.key
or theRAILS_MASTER_KEY
environment variable. -
Set the
EDITOR
environment variable to your favorite terminal-based editor. -
Run
rails credentials:edit
to verify that your master key is working properly.
Helpful links
I hope my credentials guide is the new best guide on the internet but I’ll link to the sources that helped me put this together.
- Securing Rails Applications (official Rails guide)
- Rails 5.2. release notes
- DHH’s credentials pull request
- Stefan Wintermeyer’s credentials post
Best of luck with your credential management endeavors.
Become a Better Rails Developer
Get Rails tips delivered to your inbox about once a week.
No spam, unsubscribe anytime.
-
-
-
-
2
以上就是本文的全部内容,希望对大家的学习有所帮助,也希望大家多多支持 码农网
猜你喜欢:本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们。
x86/x64体系探索及编程
邓志 / 电子工业出版社 / 2012-10-1 / 119.00元
本书是对Intel手册所述处理器架构的探索和论证。全书共五大部分,从多个方面对处理器架构相关的知识进行了梳理介绍。书中每个章节都有相应的测试实验,所运行的实验例子都可以在真实的机器上执行。 通过阅读本书,读者应能培养自己动手实验的能力。如果再有一些OS方面的相关知识,基本上就可以写出自己简易的OS核心。 本书适合有一定的x86基础知识,且对了解处理器架构及编程感兴趣的读者阅读。一起来看看 《x86/x64体系探索及编程》 这本书的介绍吧!