Quick-Start Guide to Environment Credentials in Rails 6
A quick-start guide for setting and accessing credentials for Rails environments
Rails Credentials: What are they, and why use them?
Rails provides a way to store sensitive information (passwords, API keys, etc).by using an encrypted YAML file (config/credentials.yml.enc). Also, new to Rails 6 is the ability to store credentials for various environments. This guide will quickly explain how to encrypt and read sensitive environment variables in your code. I prefer this method to using a gem such as dotENV, as I find it easier to use with all environments and verify that the credentials are accessible through the rails console. DotENV is a great gem and it is still a good choice for accessing development environment variables.
Setting Credentials
Setting up your credentials isn’t as simple as opening the ‘credentials.yml.enc’ file, as the data in that file is already encrypted. You’ll need to access it through an appropriate editor, I personally use Vim. To set your credentials, follow the instructions below:
- run command ‘EDITOR=VIM rails credentials:edit’
- press ‘i’ to begin editing the file
- Move the cursor to the end of the ‘secret_key_base’ line and press enter
- Set your key, followed by a colon and a space, then set your value
- To nest your credentials, set a top level key, then go to the next line and indent 4 spaces to set your inner key-value pairs
- When finished adding your credentials, press ‘esc’ then type ‘:wq’ to save and quit the editor. If successful, you will see ‘File encrypted and saved.’ in your logs.
Accessing Credentials
I like to test accessing my credentials in the rails console before inserting them into my code.
Testing
- Run the command ‘rails c’ to start the console.
- In the console, run ‘Rails.application.credentials’ to see a list of all credentials stored in your credentials.yml.enc file
- To check top-level credential values, run ‘Rails.application.credentials.your_variable_key’
- To check nested credential values, run ‘Rails.application.credentials.your_variable_key[:your_variable]
Implementation
Accessing your newly-encrypted secrets in your code is as simple as calling the same commands you used to check your access in the console. Simply use the code ‘Rails.application.credentials.example_app[:CLIENT_SECRET]’ in place of the actual value where you need to access it in your project.
If I have a use case that requires access to these environment variables throughout the project, I like to set up a file in ‘config/initializers’. For this example, I created a file ‘config/initializers/example_app.rb’, created the necessary variables I need to access throughout my app, and assigned them to the values stored in Rails credentials.
There are, of course, many ways to use and access your encrypted secrets throughout your Rails app once you’ve set them, the use of an initializer is only one example.
Environment Credentials
In Rails 6, it is now best practice to create separate encryption files for all of your environments. To do so, simply add the flag ‘-e <environment>’ after your rails commands.
Setting Environment Credentials
To set credentials for a specific environment, you simply need to add the flag ‘-e <environment>’ after your rails commands.
Runing the ‘EDITOR=VIM rails credentials:edit -e <environment>’ command will automatically create two files:
- config/credentials/<environment>.yml.enc
- config/credentials/<environment>.key
This is very helpful for production deployment. For example, if you are deploying using Heroku, you only need to set ‘RAILS_PRODUCTION_KEY’ in your Heroku enviroment variables and set the value to the string stored in ‘config/credentials/production.key’ and encrypt.
You can also do it from the Heroku CLI using the master key with this command: heroku config:set RAILS_MASTER_KEY=`cat config/credentials/production.key`
I hope this article can help people who were as confused about Rails credentials as I was when I started learning Rails! Happy coding :)
