Credentials in Rails 6 – Tricks & Tips

Rails 6 introduced some new features for storing credentials you need to keep safe, such as API keys, database credentials, etc. I’m not going to go into the basics of using credentials in Rails, since many other people have already invested lots of time explaining this. A good intro by Romil Mehta can be found here. What I want to show you is the weird little tricks that are hard(kinda) to discover on your own.

You can edit credentials with almost any text editor.

Yep. For some reason tons of examples use vi. But let’s be honest, most of us are too busy to learn how to use it properly. It’s just as easy to use nano or Atom instead.

EDITOR=nano rails credentials:edit

You can create credentials for other environments.

If you pass along an environment that doesn’t yet have a credentials file specific to it, one will be created for you under: config/credentials/some_enviornment.rb

EDITOR=nano rails credentials:edit --environment development 

Don’t forget your .gitignore.

This is should already be configured, but honestly it’s pretty important to check it yourself. Don’t commit your .key files to version control!

# Ignore master key for decrypting credentials and more.
/config/master.key

/config/credentials/development.key

/config/credentials/production.key

You can override the default credentials path in your initializer.

This is a big one. Let’s say you want to change the location of your credentials for some reason, or perhaps you want to simply use the same credentials for development and test. You can do this by explicitly defining the path.

# Use the following path for credentials. 
config.credentials.content_path = 'your/path/yourfile.yml.enc'
config.credentials.key_path = 'your/path/yourfile.key'

There may not be a whole lot of reasons to do this, but maybe you have multiple testing or staging environments and you want those to share all of the same credentials. Either way, just know that you can change this behavior.

Don’t forget to escape your ruby in other .yml files.

I’m not sure why this is frequently overlooked, but for some reason this little mistake took me twenty minutes to track down. Perhaps it should be obvious but it wasn’t for me. When using your credentials inside of another file .yml, that file will need to be parsed. For instance, if you have the following line in config/database.yml:

username: Rails.application.credentials[:database][:username]

You are going to have some problems. Remember to escape it!

username: <%= Rails.application.credentials[:database][:username] %>

Credentials are just YAML. You can nest them.

For instance, let’s say you need to protect the secret ingredients in your sandwich recipes.

ingredients:
 cheeseburger:
   meat: Beef
 ham_and_swiss: 
   meat: Ham

Now, you can get your secret ingredients like so…

$  Rails.application.credentials[:ingredients][:cheeseburger][:meat]
>> 'Beef'

Now, what if you happen to have a vegan sandwich that doesn’t have any meat? You can check for presence like this:

  <% if Rails.application.credentials[:ingredients][:your_sym][:meat].present? %>
  meat: <%= Rails.application.credentials[:ingredients][:your_sym][:meat] %>
  <% end %>

That way, you can avoid trying to locate something that doesn’t actually exist.

This wasn’t meant to be a complete guide to using credentials in Rails. But hopefully some of this information will prove useful to you when configuring your own applications.


Leave a Reply

Your email address will not be published.