Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add possibility to set custom `Rails.application.credentials` object. #31257

Closed

Conversation

Projects
None yet
3 participants
@morgoth
Copy link
Member

commented Nov 28, 2017

In multi environment application one can set custom file by:

config.before_initialize do
  self.credentials = encrypted("config/custom-credentials.yml.enc")
end

The last missing part of credentials feature ;-)

r? @kaspth

Add possibility to set custom `Rails.application.credentials` object.
In multi environment application one can set custom file by:

```
config.before_initialize do
  self.credentials = encrypted("config/custom-credentials.yml.enc")
end
```

@morgoth morgoth force-pushed the freeletics:add-application-credentials-writer branch to dfe3a88 Nov 29, 2017

@garrettqmartin8

This comment has been minimized.

Copy link

commented Nov 30, 2017

@morgoth I've been playing around with another implementation that allows you to keep all secrets in one credentials.yml.enc file and it uses the current Rails environment to determine the correct keys to use. I'm using the following structure.

development:
  # development keys...

staging:
  # staging keys...

production:
  # production keys...

Is it preferable to use a separate file for each environment?

@morgoth

This comment has been minimized.

Copy link
Member Author

commented Nov 30, 2017

@garrettqmartin8 The problem with this approach is that you're sharing credentials for all environments with the single encryption key, which for some might be a security concern.

Without setting custom credentials object it won't be possible to store secret_key_base in it, as this is how it's retrieved now https://github.com/rails/rails/blob/master/railties/lib/rails/application.rb#L427-L435

@garrettqmartin8

This comment has been minimized.

Copy link

commented Dec 1, 2017

Ah I see. That makes sense.

@kaspth

This comment has been minimized.

Copy link
Member

commented Dec 3, 2017

I'm not that fond of the proposed API. You could write a custom wrapper in your app that falls back to credentials in the production environment.

Or hell, the wrapper just does something like credentials.config.merge(encrypted("config/env-specific-file.enc").config). Thanks!

@kaspth kaspth closed this Dec 3, 2017

@morgoth

This comment has been minimized.

Copy link
Member Author

commented Dec 3, 2017

@kaspth Yes, that wouldn't be a problem. The issue currently is, that it's not possible to have secret_key_base encrypted in this file, as this is how Rails reads it https://github.com/rails/rails/blob/master/railties/lib/rails/application.rb#L427-L435

I would have to special case it and set SECRET_KEY_BASE env var only for this one (alongside RAILS_MASTER_KEY)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.