Rails multi environment credentials

-

Background

Generally in applications there are various secrets and credentials, that we need to make use of like API keys, secrets, etc. For such secrets we need the ability to conveniently and securely manage credentials.

Rails 5.1 added a feature to use secrets to manage credentials.

Rails 5.2 replaced secrets with credentials, since encrypted and un-encrypted secrets were making it harder to manage them.

A set of files were used to manage these credentials:

  • config/credentials.yml.enc
  • config/master.key

config/credentials.yml.enc is an encrypted file which store the credentials. As this is a encrypted file, we can safely commit it to our version control systems.

config/master.key contains RAILS_MASTER_KEY which is used to decrypt the config/credentials.yml.encWe should not commit this file to version control.

Interacting with credentials
As config/credentials.yml.enc is encrypted we should never directly read from or write to it. Instead, we will use utilities provided by Rails which abstract encryption and decryption process for us.

How to add/update credentials?
We can edit the credentials by running the following command:

$ EDITOR=vim rails credentials:edit

This will open a vim editor with the decrypted version of the credentials file.

We can add new credentials in YAML format. Lets add the following lines, save the changes, and exit.

aws:
    secret_access_key: 123456
    RDS_DATABASE=db_name
    RDS_USERNAME=db_username
    RDS_PASSWORD=db_password
    RDS_HOST=db-host.rds.amazonaws.com
github:
    app_id: 123
    app_secret: 345
secret_key_base:
    ...
production:
    ...

When we save it, it encrypts again using the same master key.

If default editor is not set and we haven’t specified the editor, then we get the following message:

$ rails credentials:edit
No $EDITOR to open file in. Assign one like this:

EDITOR="mate --wait" bin/rails credentials:edit
For editors that fork and exit immediately, it's important to pass a wait flag,
otherwise the credentials will be saved immediately with no chance to edit.

How to read credentials?

We can now access the credentials in the following way:

> Rails.application.credentials.config
#=> {:aws=>{:secret_access_key=>"123456", :RDS_DATABASE=>"db_name", :RDS_USERNAME=>"db_username", ...}, :github=>{:app_id=>"123", :app_secret=>"345"}, ...}
> Rails.application.credentials.github
#=> {:app_id=>"123", :app_secret=>"345"}
> Rails.application.credentials.github[:app_id]
#=> "123"

Managing multi environment credentials before Rails 6

There was no built in support for multiple environment credentials before Rails 6. We could manage credentials for different environments but it was upto us to explicitly specify which set of credentials to use for a specific environment.

We could store the credentials in a single file as below:

development:
    aws:
        secret_access_key: 123456
        RDS_DATABASE=db_name
        RDS_USERNAME=db_username
        RDS_PASSWORD=db_password
        RDS_HOST=db-host.rds.amazonaws.com

production:
    aws:
        secret_access_key: M0KZLSAwmkokAHXVVKS5SgTUP4ennqhi
        RDS_DATABASE=db_name_pro
        RDS_USERNAME=db_username_prod
        RDS_PASSWORD=db_password_prod
        RDS_HOST=db-host-prod.rds.amazonaws.com

Then, config can be accessed using the following command:

> Rails.application.credentials[Rails.env.to_sym][:aws][:RDS_DATABASE]
#=> "db_name"

There are some problems with this approach:

  • There is just 1 master key and everyone on the development team had access to it. Which means everyone on the development team had access to production environment.
  • We needed to explicitly specify which environment credentials to use in the code.

Another way to manage environment specific credentials was by creating environment specific files. For example, we can create config/staging.yml.enc for staging environment and config/production.yml.enc for production environment. To read config from these files, Rails 5.2 provided encrypted method to support for managing multiple credentials files.

This approach involved writing even more boiler plate code to manage the keys and the encrypted files for every environment.

In Rails 6

Now, Rails 6 has added support for multi environment credentials.

It provides utility to easily create and use environment specific credentials. Each of these have their own encryption keys.

Global Credentials

The changes added in the above PR are backwards compatible. If environment specific credentials are not present then rails will use the global credentials and master key which are represented by following files:

  • config/credentials.yml.enc
  • config/master.key

We use the global configuration only for development and test environments. We share the config/master.key with our entire team.

Create credentials for production environment

To create credentials for production environment, we can run the following command:

$ rails credentials:edit --environment production

The above command does the following:

  • Creates config/credentials/production.key if missing. Don’t commit this file to VCS.
  • Creates config/credentials/production.yml.enc if missing. Commit this file to VCS.
  • Decrypts and opens the production credentials file in the default editor.

We share the production.key with limited members of our team who have access for production deployment.

Let’s add following credentials and save:

aws:
    secret_access_key: M0KZLSAwmkokAHXVVKS5SgTUP4ennqhi
    RDS_DATABASE=db_name_prod
    RDS_USERNAME=db_username_prod
    RDS_PASSWORD=db_password_prod
    RDS_HOST=db-host-prod.rds.amazonaws.com

Similarly we can create credentials for different environment like staging.

Using the credentials in Rails

For any environment Rails automatically detects which set of credential to use. Environment specific credentials will take precedence over global credentials. If environment specific credentials are present, they will be used else Rails will default to global credentials.

For development:

$ rails c
> Rails.application.credentials.config
#=> {:aws=>{:secret_access_key=>"123456", :RDS_DATABASE=>"db_name", ...} }}
> Rails.application.credentials.aws[:access_key_id]
#=> "123"

For production:

$ RAILS_ENV=production rails c
> Rails.application.credentials.config
#=> {:aws=>{:secret_access_key=>"M0KZLSAwmkokAHXVVKS5SgTUP4ennqhi", :RDS_DATABASE=>"db_name_prod", ...}}
> Rails.application.credentials.aws[:access_key_id]
#=> "1f3649fe-ebbd-11e9-81b4-2a2ae2dbcce4"

Storing encryption key in environment variables

We can also set the value of the encryption key in RAILS_MASTER_KEY environment variable.
If RAILS_MASTER_KEY is set, we don’t need to create the *.key files. Rails will auto detect this environment variable and use it to encrypt/decrypt the credential files.
The environment variable can be used for example on Heroku or similar platforms.

# Setting master key on Heroku
heroku config:set RAILS_MASTER_KEY=`cat config/credentials/production.key`

Buy Me A Coffee

Comments

Post a Comment

Popular posts from this blog

Installing the Certbot Let’s Encrypt Client for NGINX on Amazon Linux 2

-
Image
Installing the Certbot Let’s Encrypt Client The certbot package is not available through the package manager by default. You will need to enable the  EPEL  repository to install Certbot. sudo yum install epel-release sudo yum install certbot-nginx Set Up NGINX certbot  can automatically configure  NGINX  for SSL/TLS. It looks for and modifies the server block in your  NGINX  configuration that contains a server_name directive with the domain name you’re requesting a certificate for. In our example, the domain is  www.mydomain.com . Assuming you’re starting with a fresh NGINX install, use a text editor to create a file in the  /etc/nginx/conf.d  directory named  domain_name.conf  (so in our example, www.mydomain.com.conf). Specify your domain name (and variants, if any) with the  server_name  directive: server { listen 80 default_server; listen [::]:80 default_server; root /var/www/html; server_name myd...
Read more

Deploy Nuxt.js app using Apache 2

-
  Deploy your dynamic Nuxt.js app Nuxt.js is an amazing server side rendering application framework for Vue.js. In this article we will see how to deploy Nuxt.js application to AWS instance in universal app mode. Where in Nuxt.js you can choose between Universal, Static Generated or Single Page application. Before we start deploying our dynamic app, if you want just to deploy a static website, you can run this command: npm run generate and it will generate the files and put them in  dist  folder which you can upload to any server you want. But this will not work for universal apps. 1. Build your app To build a ssr app you need to run the following command: npm run build The generated files will not be in the  dist  folder as for the static app, but you can find all generated files in  .nuxt  folder which will be the entry point. 2. Upload to the server There are two ways to do this upload your whole application with the source code or just upload the n...
Read more

psql: error: connection to server at "localhost" (127.0.0.1), port 5433 failed: ERROR: failed to authenticate with backend using SCRAM DETAIL: valid password not found

-
Image
ERROR psql: error: connection to server at "localhost" (127.0.0.1), port 5433 failed: ERROR: failed to authenticate with backend using SCRAM DETAIL: valid password not found Since Pgpool-II is a PostgreSQL proxy that works between clients and PostgreSQL servers, the authentication comprises two steps: Authentication between client and Pgpool-II Authentication between Pgpool-II and PostgreSQL servers Starting with Pgpool-II 4.0, Pgpool-II supports scram-sha-256 authentication. scram-sha-256 authentication method is strongly recommended because it is the most secure password-based authentication method. Solution 1 If PostgreSQL servers require  MD5  or  SCRAM  authentication for some user’s authentication but the password for that user is not present in  pool_passwd , then enabling  allow_clear_text_frontend_auth  will allow the  Pgpool-II  to use clear-text-password authentication with user to get the password in plain text form from the user ...
Read more