How to use Credentials in Ruby on Rails 6? TLDR
See complete version of this article
create credentials & edit: #
rails credentials:edit
EDITOR=vim rails credentials:edit
rails credentials:show
EDITOR='code --wait' rails credentials:edit --environment=development
EDITOR='code --wait' rails credentials:edit --environment=production
see credentials diff #
Create a .gitattributes file in your Rails root folder & add these lines:
# See https://git-scm.com/docs/gitattributes for more about git attribute files.
# Mark the database schema as having been generated.
db/schema.rb linguist-generated
# Mark any vendored files as having been vendored.
vendor/* linguist-vendored
+config/credentials/*.yml.enc diff=rails_credentials
+config/credentials.yml.enc diff=rails_credentials
Now you will see credentails diff!
config/credentials.yml example: #
awss3:
access_key_id: YOUR_CODE_FOR_S3_STORAGE
secret_access_key: YOUR_CODE_FOR_S3_STORAGE
google_analytics: YOUR_CODE_FOR_GOOGLE_ANALYTICS
recaptcha:
site_key: YOUR_CODE_FOR_RECAPTCHA
secret_key: YOUR_CODE_FOR_RECAPTCHA
google_oauth2:
client_id: YOUR_CODE_FOR_OAUTH
client_secret: YOUR_CODE_FOR_OAUTH
development:
github:
client: YOUR_CODE_FOR_OAUTH
secret: YOUR_CODE_FOR_OAUTH
stripe:
publishable: YOUR_STRIPE_PUBLISHABLE
secret: YOUR_STRIPE_SECRET
production:
github:
client: YOUR_CODE_FOR_OAUTH
secret: YOUR_CODE_FOR_OAUTH
stripe:
publishable: YOUR_STRIPE_PUBLISHABLE
secret: YOUR_STRIPE_SECRET
facebook:
client: YOUR_CODE_FOR_OAUTH
secret: YOUR_CODE_FOR_OAUTH
working with VIM #
To enable editing press i
For exiting with saving press Esc & :wq & Enter
For exiting without saving press Esc & :q! & Enter
To make Ctrl+V work properly Esc & :set paste & i & Ctrl + V`
- Example of using credentials in
devise.rb:
config.omniauth :github, Rails.application.credentials.dig(Rails.env.to_sym, :github, :id), Rails.application.credentials.dig(Rails.env.to_sym, :github, :secret)
or
if Rails.application.credentials[Rails.env.to_sym].present? && Rails.application.credentials[Rails.env.to_sym][:github].present?
config.omniauth :github, Rails.application.credentials[Rails.env.to_sym][:github][:id], Rails.application.credentials[Rails.env.to_sym][:github][:secret]
end
Example of using credentials in stripe.rb: #
Stripe.api_key = Rails.application.credentials.dig(:stripe, :secret)
HINT: using .dig is safer #
find a credential #
rails c
Rails.application.credentials.dig(:aws, :access_key_id)
Rails.application.credentials[Rails.env.to_sym][:aws][:access_key_id]
Rails.application.credentials.some_variable
Rails.application.credentials[:production][:aws][:id]
Rails.application.credentials.production[:aws][:id]
See credentials changes in local git: #
rails credentials:diff --enroll
git diff config/credentials.yml.enc
Credentials for different environments #
EDITOR=vim bin/rails credentials:edit --environment development
will generate
config/credentials/development.yml.enc
config/credentials/development.key
Set master.key in production (heroku): #
By default master.key is in .gitignore
heroku config:set RAILS_MASTER_KEY=123456789
heroku config:set RAILS_MASTER_KEY=`cat config/master.key`
heroku config:set RAILS_MASTER_KEY=`cat config/credentials/production.key`
Bonus: in config/environments/production.rb uncomment config.require_master_key = true
The config/credentials.yml file should NOT be in gitignore.
The config/master.key that decrypts the credentials SHOULD be in gitignore.
Did you like this article? Did it save you some time?