- why and how to go from secrets to credentials,
- how to use API keys in Ruby, YML and js.erb,
- just give the key to each of the team once and for all.
Up until 3 years ago, David Heinemeyer Hansson, the creator of the Ruby on Rails framework, tweeted about the arrival of Rails 5.2.0, but new technologies often take time to accelerate and gain publicity.
It can be considered a wake-up call if you have to juggle API keys too often, swapping them with other developers on your team. Then it's time to take another look at how you can use credentials in a Ruby on Rails application.
Why use credentials instead of secrets?
In the development cycle, as it develops, more and more different services are integrated into the project. Each external service has its own API key. It usually takes very little time before colleagues start hunting for the latest API key. This is very annoying!
Or, just imagine the API key is being updated. Each developer on the team must separately update the key in the local dotenv files. It seems that all this does not correspond to the concept of automation and programming ideas, right?
Forget about exchanging API keys in Slack chats or email. You no longer have to violate your security policy.
Credentials in Rails solves this problem simply and efficiently: uploading keys to Github.
Uploading to Github? Yes, upload to Github! Small note: API keys are fully encrypted.
The big advantage of this approach is that there is one single key to share with the team. And it never changes!
New API keys added by your peers as credentials are pulled from Github every time you check out the latest version of the main branch (formerly called the "master branch" ).
The key can be found in the config / master.key folder.
How it works?
Running
bin/rails credentials:edit
in rails creates two files that are required in the config folder:
credentials.yml.enc
stores all your API keys. In case you're curious, the .enc extension stands for encryption.master.key
Is the key used to decrypt encrypted.file (1.) Make sure you add master.key to the file.gitignore.yml
.
Together with the repository, we send our file
Credentials.yml.enc
to Github, now it is in good hands. At the same time, we keep master.key with us and keep it as if our life depends on it!
Switching to credentials
Open the credentials file by doing the following in a terminal:
EDITOR='code --wait' bin/rails credentials:edit
Depending on the editor you are using, replace
code
(VS Code). For example:
vim or vi = Vim
atom = Atom
subl or stt = Sublime
The credentials file automatically opens in the editor and waits for you to refresh and close it again. Move the ENV keys you use in the .env file to the credentials.yml file.
Replace the old file
.ENV
:
STRIPE_PUBLISHABLE_KEY=pk_test_VG8LlUN82DcZS3cAOJVy0WyIR9Jwz0YZkq302MKc00t
STRIPE_SECRET_KEY=sk_test_VG8LlUN82DcZS3cAOJVy0WyIR9Jwz0YZkq302MKc00tgAAYF
STRIPE_WEBHOOK_SECRET_KEY=whsec_cZpB0VG8cZpB0VG8cZpB0VG8UrgA2gcZpB0VG8cZpB
CLOUDINARY_URL=cloudinary://15031853100444:XOr3XQ-DcZ4dBoan80@DcZ4Boan800U
GOOGLE_API_KEY=S3cAOJVy0WyS3cAOJVy0WyIR9AOJVy0WyIR92e
on
credentials.yml
:
stripe:
publishable_key: pk_test_VG8LlUN82DcZS3cAOJVy0WyIR9Jwz0YZkq302MKc00tgAAYF
secret_key: sk_test_VG8LlUN82DcZS3cAOJVy0WyIR9Jwz0YZkq302MKc00tgAAYF
web_hook_secret_key: whsec_cZpB0VG8cZpB0VG8cZpB0VG8UrgA2gcZpB0VG8cZpB
google_api_key: S3cAOJVy0WyS3cAOJVy0WyIR9AOJVy0WyIR92e
cloudinary:
cloud_name: abcdefg
api_key: 12345678910
api_secret: abc315-VG8Ll8VG8Ll8L
Note: The Cloudinary API Key is split into several parts according to the documentation.
All is ready! For display, credentials can be run in a terminal.
Run
bin/rails credentials:show
.
It's time to say goodbye to our old friend - the .ENV file. Let's delete it.
How to use Credentials in different formats like Ruby, YML and JavaScript
Ruby
# nested key
Rails.application.credentials.stripe[:publishable_key]
# single key
Rails.application.credentials.google_api_key
YML
cloudinary: service: Cloudinary api_key: <%= Rails.application.credentials.dig(:cloudinary, :api_key) %> api_secret: <%= Rails.application.credentials.dig(:cloudinary, :api_secret) %>
Cloudinary requires an additional config / cloudinary.yml JavaScript file
// ruby code only possible with js.erb format
const abc = "<%= Rails.application.credentials.google_api_key %>"
Html
<!-- interpolate in script tag -->
<script src="https://maps.googleapis.com/maps/api/js?key=<%= "#{Rails.application.credentials.google_api_key}"%>"</script
How to share keys with a team
Share the key
master.key
with other developers to enable decryption.
Each team member creates a file
master.key
locally in the config folder and uploads it to the shared key.
Output
Programming is becoming more and more fun without the hassle and hassle of finding the right API keys. Thanks to credentials, we can update the application taking into account information security recommendations. Share the master key once and get rid of the tedious copying.
Thanks for attention!