内容简介:The credentials feature is a way of storing secrets that you don’t want to keep in plaintext, like AWS credentials for example. (In fact, the one and only thing I keep in my main Rails project’s credentials are my Active Storage AWS credentials.)I personal
What this feature is for
The credentials feature is a way of storing secrets that you don’t want to keep in plaintext, like AWS credentials for example. (In fact, the one and only thing I keep in my main Rails project’s credentials are my Active Storage AWS credentials.)
Why the credentials feature is difficult to learn about
I personally have found Rails credentials really hard to understand. I think there are three reasons why this is.
- The official Rails docs about the credentials feature are a little terse and not easily discoverable.
- The feature changed somewhat drastically from Rails 4 to Rails 5, even changing names from “secrets” to “credentials”.
- I only need to use the feature once in a while, when I’m deploying an application for the first time, meaning there’s lots of time in between to forget everything I knew.
How to work with credentials without frustration
There are perhaps five important things to understand about credentials:
secrets.yml
Credentials are stored in config/credentials.yml.enc
At the risk of stating the obvious, your secrets are stored in config/credentials.yml.enc
. That file is encrypted.
There of course needs to be a way to securely decrypt this encrypted file. That’s done using something called a master key
. The master key is just a hash string that gets stored in one of two places: a file called config/master.key
(which should NOT be committed to version control) or a RAILS_MASTER_KEY
environment variable.
The development master key and production master key are the same
A key thing to understand, which I found counterintuitive, is that the master key you use in production should be the same as the master key you use in development
. If your development master key is stored in config/master.key
, create an identical config/master.key
on production, containing the same exact key. If your development master key is stored in the RAILS_MASTER_KEY
environment variable, set the production RAILS_MASTER_KEY
to the exact same value.
I found this counterintuitive because usually I try to make all my passwords, etc. different for each environment I have. I thought I would need to create a different master key for my production environment. No, I need to not create a different master key.
The credentials.yml.enc file is edited in a special way
Since it’s encrypted, the config/credentials.yml.enc
file can’t be edited directly. It can only be edited using the rails credentials:edit
command.
What often throws me for a loop is that a prerequisite to using rails credentials:edit
is having the EDITOR
environment variable set, which on a fresh production machine I usually don’t. I’m aVim guy, so I run export EDITOR=vim
and then I’m good to go. Then I can run rails credentials:edit
and the command will open the credential file, decrypted, in Vim.
secrets.yml is obsolete
If you find something online that refers to secrets.yml
, you’re looking at an old post. Before Rails 5.2
, there was a secrets.yml
and secrets.yml.enc
instead of the new credentials-related files. Don’t make the mistake of conflating Rails secrets with Rails credentials (like I did several times before learning better!).
The steps for setting up credentials in production
-
Take the same master key you’re using in development and put it either in
config/master.key
or theRAILS_MASTER_KEY
environment variable. -
Set the
EDITOR
environment variable to your favorite terminal-based editor. -
Run
rails credentials:edit
to verify that your master key is working properly.
Helpful links
I hope my credentials guide is the new best guide on the internet but I’ll link to the sources that helped me put this together.
- Securing Rails Applications (official Rails guide)
- Rails 5.2. release notes
- DHH’s credentials pull request
- Stefan Wintermeyer’s credentials post
Best of luck with your credential management endeavors.
Become a Better Rails Developer
Get Rails tips delivered to your inbox about once a week.
No spam, unsubscribe anytime.
-
-
-
-
2
以上就是本文的全部内容,希望对大家的学习有所帮助,也希望大家多多支持 码农网
猜你喜欢:本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们。
RGB CMYK 转换工具
RGB CMYK 互转工具
HEX HSV 转换工具
HEX HSV 互换工具