Understanding Rails secrets/credentials

栏目: IT技术 · 发布时间: 4年前

内容简介:The credentials feature is a way of storing secrets that you don’t want to keep in plaintext, like AWS credentials for example. (In fact, the one and only thing I keep in my main Rails project’s credentials are my Active Storage AWS credentials.)I personal

What this feature is for

The credentials feature is a way of storing secrets that you don’t want to keep in plaintext, like AWS credentials for example. (In fact, the one and only thing I keep in my main Rails project’s credentials are my Active Storage AWS credentials.)

Why the credentials feature is difficult to learn about

I personally have found Rails credentials really hard to understand. I think there are three reasons why this is.

  1. The official Rails docs about the credentials feature are a little terse and not easily discoverable.
  2. The feature changed somewhat drastically from Rails 4 to Rails 5, even changing names from “secrets” to “credentials”.
  3. I only need to use the feature once in a while, when I’m deploying an application for the first time, meaning there’s lots of time in between to forget everything I knew.

How to work with credentials without frustration

There are perhaps five important things to understand about credentials:

  • Where they’re stored
  • How the master key works
  • How editing credentials work
  • What the deal is with secrets.yml
  • The steps you need to take to set up credentials on a fresh production machine
  • Credentials are stored in config/credentials.yml.enc

    At the risk of stating the obvious, your secrets are stored in config/credentials.yml.enc . That file is encrypted.

    There of course needs to be a way to securely decrypt this encrypted file. That’s done using something called a master key . The master key is just a hash string that gets stored in one of two places: a file called config/master.key (which should NOT be committed to version control) or a RAILS_MASTER_KEY environment variable.

    The development master key and production master key are the same

    A key thing to understand, which I found counterintuitive, is that the master key you use in production should be the same as the master key you use in development . If your development master key is stored in config/master.key , create an identical config/master.key on production, containing the same exact key. If your development master key is stored in the RAILS_MASTER_KEY environment variable, set the production RAILS_MASTER_KEY to the exact same value.

    I found this counterintuitive because usually I try to make all my passwords, etc. different for each environment I have. I thought I would need to create a different master key for my production environment. No, I need to not create a different master key.

    The credentials.yml.enc file is edited in a special way

    Since it’s encrypted, the config/credentials.yml.enc file can’t be edited directly. It can only be edited using the rails credentials:edit command.

    What often throws me for a loop is that a prerequisite to using rails credentials:edit is having the EDITOR environment variable set, which on a fresh production machine I usually don’t. I’m aVim guy, so I run export EDITOR=vim and then I’m good to go. Then I can run rails credentials:edit and the command will open the credential file, decrypted, in Vim.

    secrets.yml is obsolete

    If you find something online that refers to secrets.yml , you’re looking at an old post. Before Rails 5.2 , there was a secrets.yml and secrets.yml.enc instead of the new credentials-related files. Don’t make the mistake of conflating Rails secrets with Rails credentials (like I did several times before learning better!).

    The steps for setting up credentials in production

    1. Take the same master key you’re using in development and put it either in config/master.key or the RAILS_MASTER_KEY environment variable.
    2. Set the EDITOR environment variable to your favorite terminal-based editor.
    3. Run rails credentials:edit to verify that your master key is working properly.

    Helpful links

    I hope my credentials guide is the new best guide on the internet but I’ll link to the sources that helped me put this together.

    Best of luck with your credential management endeavors.

    Become a Better Rails Developer

    Get Rails tips delivered to your inbox about once a week.

    No spam, unsubscribe anytime.

    •  
    •  
    •  
    • 2

    以上就是本文的全部内容,希望对大家的学习有所帮助,也希望大家多多支持 码农网

    查看所有标签

    猜你喜欢:

    本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们

    超级IP

    超级IP

    吴声 / 中信出版集团 / 2016-7 / 49.00元

    一切商业皆内容,一切内容皆IP! 从迪士尼、airbnb、YouTube、Instagram到微信、Papi酱、芈月传、鹿晗,IP浪潮席卷全球,这不仅仅是互联网领域的革命,更是未来商业的游戏新规则。 IP从泛娱乐形态快速渗透新商业生态全维度,正深化为不同行业共同的战略方法,甚至是一种全新的商业生存方式,即IP化生存。 超级IP的内核,是辨识度极高的可认同的商业符号,它意味着一种对......一起来看看 《超级IP》 这本书的介绍吧!

    RGB CMYK 转换工具
    RGB CMYK 转换工具

    RGB CMYK 互转工具

    HEX HSV 转换工具
    HEX HSV 转换工具

    HEX HSV 互换工具