Skip to content

Instantly share code, notes, and snippets.

@masciugo

masciugo/secrets_management.md

Created September 26, 2014 16:48
Show Gist options
  • Star 3 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save masciugo/f4a0e904a1a83d7101c3 to your computer and use it in GitHub Desktop.
Save masciugo/f4a0e904a1a83d7101c3 to your computer and use it in GitHub Desktop.
Download ZIP
secrets management in Rails
Raw
secrets_management.md

Rails secrets management with Figaro and Capistrano

Use of figaro gem (or something like dotenv) in all environments.

The Figaro config/application.yml file with all the secrets will be git-ignored. So on every deployment server I had to manually add the file shared/config/application.yml and then linked automatically on each deployment to the current version of the app by adding in config/deploy.rb:

set :linked_files, %w{config/application.yml}

For development config/application.yml is something like the following:

development:
  IBRA_IDS_CONVERTER_HOST: "localhost"
  IBRA_IDS_CONVERTER_PORT: "3001"
  IBRA_IDS_CONVERTER_TOKEN: "fdsdfjhiljlidhfshfshr67rseet4gsd"

  IBRA_DEV_DB: "ibra_development"
  IBRA_DEV_DB_USERNAME: "root"
  IBRA_DEV_DB_PASSWORD: "dfasdf"

  IBRA_SECRET_TOKEN: b3c56aa8deed27f812f149589d7260745b05eb1b8777856eb29992c8cff042f084c1a0ae4a95a3f77032263935ceca5f2e1fe51c1fad7782dfcd7db0e8de21a2

Database secrets are also moved to environment. config/database.yml:

development: &dev
  adapter: mysql2
  encoding: utf8
  reconnect: false
  database: <%= ENV["IBRA_DEV_DB"] %>
  username: <%= ENV["IBRA_DEV_DB_USERNAME"] %>
  password: <%= ENV["IBRA_DEV_DB_PASSWORD"] %>
  socket: /tmp/mysql.sock
  
test: &test
  <<: *dev
  database: ibra_test
  
staging:
  adapter: mysql2
  encoding: utf8
  reconnect: false
  database: <%= ENV["IBRA_STAGING_DB"] %>
  username: <%= ENV["IBRA_STAGING_DB_USERNAME"] %>
  password: <%= ENV["IBRA_STAGING_DB_PASSWORD"] %>
  
production:
  adapter: mysql2
  encoding: utf8
  reconnect: false
  database: <%= ENV["IBRA_PRODUCTION_DB"] %>
  username: <%= ENV["IBRA_PRODUCTION_DB_USERNAME"] %>
  password: <%= ENV["IBRA_PRODUCTION_DB_PASSWORD"] %>

The same for the secret_token. config/initializer/secret_token.rb:

Ibra::Application.config.secret_token = ENV['IBRA_SECRET_TOKEN']

As an alternative, you can as well not use Figaro and ENV and move all files with secrets like config/database.yml or config/initializer/secret_token.rb to the deployement servers and then link them with capistrano.

references

http://daniel.fone.net.nz/blog/2013/05/20/a-better-way-to-manage-the-rails-secret-token/ http://www.jamesbadger.ca/2012/12/18/generate-new-secret-token/ http://www.gotealeaf.com/blog/managing-environment-configuration-variables-in-rails

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment