Tuesday, 13 January 2015

Handling and Deploying credentials in Rails4

Every web application uses credentials of some sorts - e.g. to access a database or third-party services such as Amazon Web Services, email processing applications such as Mandrill, MailChimp or SendGrid, etc. The consensus is that it is a bad practice to check these in code repositories. All workflows involve a variation of storing these credentials in the local file system (either as configuration files or in files used to set up environment variables). In Rails there is an ecosystem of solutions created to make this process as smooth as possible. Just to mention a few:

- the dotenv gem
- the figaro gem
- the rbenv-vars plugin

I looked at each but of these and at a number of other ad-hoc workflows based on, more or less, the same ideas.

They would solve the problem but I found each to be somewhat inelegant. I was looking for a solution that makes both reading in the credentials and their deployment as smooth as possible. So I came up with the following workflow:

1. create config/secrets.yml

Since 4.1 secrets.yml is supposed to be the "official" container of sensitive data.

2. Put it in .gitignore

Surprisingly, this is not done yet by default when you start with a scaffold.

3. Use econfig to read in the credentials in the application

The econfig link above explains the changes that need to be made in the code base - and they are really minimal.

In essence, econfig reads in by default a number of files that might contain credentials - including config/secrets.yml. It makes it possible to refer to these in the application as
4. Use capistrano-secrets-yml to deploy config/secrets.yml in production

This workflows seems really very minimal - the two gems complement each other nicely and make the process smooth - I tested it and I am happy with it.

No comments:

Post a Comment