Understanding Rails secrets/credentials

栏目: IT技术 · 发布时间: 4年前

内容简介:The credentials feature is a way of storing secrets that you don’t want to keep in plaintext, like AWS credentials for example. (In fact, the one and only thing I keep in my main Rails project’s credentials are my Active Storage AWS credentials.)I personal

What this feature is for

The credentials feature is a way of storing secrets that you don’t want to keep in plaintext, like AWS credentials for example. (In fact, the one and only thing I keep in my main Rails project’s credentials are my Active Storage AWS credentials.)

Why the credentials feature is difficult to learn about

I personally have found Rails credentials really hard to understand. I think there are three reasons why this is.

  1. The official Rails docs about the credentials feature are a little terse and not easily discoverable.
  2. The feature changed somewhat drastically from Rails 4 to Rails 5, even changing names from “secrets” to “credentials”.
  3. I only need to use the feature once in a while, when I’m deploying an application for the first time, meaning there’s lots of time in between to forget everything I knew.

How to work with credentials without frustration

There are perhaps five important things to understand about credentials:

  • Where they’re stored
  • How the master key works
  • How editing credentials work
  • What the deal is with secrets.yml
  • The steps you need to take to set up credentials on a fresh production machine
  • Credentials are stored in config/credentials.yml.enc

    At the risk of stating the obvious, your secrets are stored in config/credentials.yml.enc . That file is encrypted.

    There of course needs to be a way to securely decrypt this encrypted file. That’s done using something called a master key . The master key is just a hash string that gets stored in one of two places: a file called config/master.key (which should NOT be committed to version control) or a RAILS_MASTER_KEY environment variable.

    The development master key and production master key are the same

    A key thing to understand, which I found counterintuitive, is that the master key you use in production should be the same as the master key you use in development . If your development master key is stored in config/master.key , create an identical config/master.key on production, containing the same exact key. If your development master key is stored in the RAILS_MASTER_KEY environment variable, set the production RAILS_MASTER_KEY to the exact same value.

    I found this counterintuitive because usually I try to make all my passwords, etc. different for each environment I have. I thought I would need to create a different master key for my production environment. No, I need to not create a different master key.

    The credentials.yml.enc file is edited in a special way

    Since it’s encrypted, the config/credentials.yml.enc file can’t be edited directly. It can only be edited using the rails credentials:edit command.

    What often throws me for a loop is that a prerequisite to using rails credentials:edit is having the EDITOR environment variable set, which on a fresh production machine I usually don’t. I’m aVim guy, so I run export EDITOR=vim and then I’m good to go. Then I can run rails credentials:edit and the command will open the credential file, decrypted, in Vim.

    secrets.yml is obsolete

    If you find something online that refers to secrets.yml , you’re looking at an old post. Before Rails 5.2 , there was a secrets.yml and secrets.yml.enc instead of the new credentials-related files. Don’t make the mistake of conflating Rails secrets with Rails credentials (like I did several times before learning better!).

    The steps for setting up credentials in production

    1. Take the same master key you’re using in development and put it either in config/master.key or the RAILS_MASTER_KEY environment variable.
    2. Set the EDITOR environment variable to your favorite terminal-based editor.
    3. Run rails credentials:edit to verify that your master key is working properly.

    Helpful links

    I hope my credentials guide is the new best guide on the internet but I’ll link to the sources that helped me put this together.

    Best of luck with your credential management endeavors.

    Become a Better Rails Developer

    Get Rails tips delivered to your inbox about once a week.

    No spam, unsubscribe anytime.

    •  
    •  
    •  
    • 2

    以上就是本文的全部内容,希望对大家的学习有所帮助,也希望大家多多支持 码农网

    查看所有标签

    猜你喜欢:

    本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们

    x86/x64体系探索及编程

    x86/x64体系探索及编程

    邓志 / 电子工业出版社 / 2012-10-1 / 119.00元

    本书是对Intel手册所述处理器架构的探索和论证。全书共五大部分,从多个方面对处理器架构相关的知识进行了梳理介绍。书中每个章节都有相应的测试实验,所运行的实验例子都可以在真实的机器上执行。 通过阅读本书,读者应能培养自己动手实验的能力。如果再有一些OS方面的相关知识,基本上就可以写出自己简易的OS核心。 本书适合有一定的x86基础知识,且对了解处理器架构及编程感兴趣的读者阅读。一起来看看 《x86/x64体系探索及编程》 这本书的介绍吧!

    RGB转16进制工具
    RGB转16进制工具

    RGB HEX 互转工具

    SHA 加密
    SHA 加密

    SHA 加密工具

    UNIX 时间戳转换
    UNIX 时间戳转换

    UNIX 时间戳转换