How to switch from secrets to credentials (Ruby on Rails)

Credentials in Ruby on Rails 5.2.0 are the new gold standard. The good old but insecure .env files are giving way. In this article, you will learn:



  • why and how to go from secrets to credentials,
  • how to use API keys in Ruby, YML and js.erb,
  • just give the key to each of the team once and for all.


Up until 3 years ago, David Heinemeyer Hansson, the creator of the Ruby on Rails framework, tweeted about the arrival of Rails 5.2.0, but new technologies often take time to accelerate and gain publicity.



It can be considered a wake-up call if you have to juggle API keys too often, swapping them with other developers on your team. Then it's time to take another look at how you can use credentials in a Ruby on Rails application.



Why use credentials instead of secrets?



In the development cycle, as it develops, more and more different services are integrated into the project. Each external service has its own API key. It usually takes very little time before colleagues start hunting for the latest API key. This is very annoying!



Or, just imagine the API key is being updated. Each developer on the team must separately update the key in the local dotenv files. It seems that all this does not correspond to the concept of automation and programming ideas, right?



Forget about exchanging API keys in Slack chats or email. You no longer have to violate your security policy.



Credentials in Rails solves this problem simply and efficiently: uploading keys to Github.



Uploading to Github? Yes, upload to Github! Small note: API keys are fully encrypted.



The big advantage of this approach is that there is one single key to share with the team. And it never changes!



New API keys added by your peers as credentials are pulled from Github every time you check out the latest version of the main branch (formerly called the "master branch" ).



The key can be found in the config / master.key folder.



How it works?



Running bin/rails credentials:edit



in rails creates two files that are required in the config folder:



  • credentials.yml.enc



    stores all your API keys. In case you're curious, the .enc extension stands for encryption.
  • master.key



    Is the key used to decrypt encrypted.file (1.) Make sure you add master.key to the file .gitignore.yml



    .


Together with the repository, we send our file Credentials.yml.enc



to Github, now it is in good hands. At the same time, we keep master.key with us and keep it as if our life depends on it!



Switching to credentials



Open the credentials file by doing the following in a terminal:



EDITOR='code --wait' bin/rails credentials:edit







Depending on the editor you are using, replace code



(VS Code). For example:



vim or vi = Vim

atom = Atom

subl or stt = Sublime



The credentials file automatically opens in the editor and waits for you to refresh and close it again. Move the ENV keys you use in the .env file to the credentials.yml file.



Replace the old file .ENV



:



STRIPE_PUBLISHABLE_KEY=pk_test_VG8LlUN82DcZS3cAOJVy0WyIR9Jwz0YZkq302MKc00t
STRIPE_SECRET_KEY=sk_test_VG8LlUN82DcZS3cAOJVy0WyIR9Jwz0YZkq302MKc00tgAAYF
STRIPE_WEBHOOK_SECRET_KEY=whsec_cZpB0VG8cZpB0VG8cZpB0VG8UrgA2gcZpB0VG8cZpB
CLOUDINARY_URL=cloudinary://15031853100444:XOr3XQ-DcZ4dBoan80@DcZ4Boan800U
GOOGLE_API_KEY=S3cAOJVy0WyS3cAOJVy0WyIR9AOJVy0WyIR92e
      
      





on credentials.yml



:



stripe:
  publishable_key: pk_test_VG8LlUN82DcZS3cAOJVy0WyIR9Jwz0YZkq302MKc00tgAAYF
  secret_key: sk_test_VG8LlUN82DcZS3cAOJVy0WyIR9Jwz0YZkq302MKc00tgAAYF
  web_hook_secret_key: whsec_cZpB0VG8cZpB0VG8cZpB0VG8UrgA2gcZpB0VG8cZpB

google_api_key: S3cAOJVy0WyS3cAOJVy0WyIR9AOJVy0WyIR92e

cloudinary:
  cloud_name: abcdefg
  api_key: 12345678910
  api_secret: abc315-VG8Ll8VG8Ll8L
      
      





Note: The Cloudinary API Key is split into several parts according to the documentation.



All is ready! For display, credentials can be run in a terminal.



Run bin/rails credentials:show



.



It's time to say goodbye to our old friend - the .ENV file. Let's delete it.



How to use Credentials in different formats like Ruby, YML and JavaScript



Ruby



# nested key
Rails.application.credentials.stripe[:publishable_key]

# single key
Rails.application.credentials.google_api_key
      
      





YML



cloudinary:
  service: Cloudinary
  api_key: <%= Rails.application.credentials.dig(:cloudinary, :api_key) %>
  api_secret: <%= Rails.application.credentials.dig(:cloudinary, :api_secret) %>
      
      





Cloudinary requires an additional config / cloudinary.yml JavaScript file







// ruby code only possible with js.erb format
const abc = "<%= Rails.application.credentials.google_api_key %>"
      
      





Html



<!-- interpolate in script tag --> 
<script src="https://maps.googleapis.com/maps/api/js?key=<%= "#{Rails.application.credentials.google_api_key}"%>"</script
      
      





How to share keys with a team



Share the key master.key



with other developers to enable decryption.



Each team member creates a file master.key



locally in the config folder and uploads it to the shared key.



Output



Programming is becoming more and more fun without the hassle and hassle of finding the right API keys. Thanks to credentials, we can update the application taking into account information security recommendations. Share the master key once and get rid of the tedious copying.



Thanks for attention!



All Articles