Skip to content

Add possibility to set custom Rails.application.credentials object. #31257

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Add possibility to set custom Rails.application.credentials object. #31257

wants to merge 1 commit into from

Conversation

morgoth
Copy link
Member

@morgoth morgoth commented Nov 28, 2017

In multi environment application one can set custom file by:

config.before_initialize do
  self.credentials = encrypted("config/custom-credentials.yml.enc")
end

The last missing part of credentials feature ;-)

r? @kaspth

@morgoth
Add possibility to set custom Rails.application.credentials object.
dfe3a88 
In multi environment application one can set custom file by:

```
config.before_initialize do
  self.credentials = encrypted("config/custom-credentials.yml.enc")
end
```
@morgoth morgoth force-pushed the add-application-credentials-writer branch from 7014ddf to dfe3a88 Compare November 29, 2017 09:53
@blvrd
Copy link

blvrd commented Nov 30, 2017

@morgoth I've been playing around with another implementation that allows you to keep all secrets in one credentials.yml.enc file and it uses the current Rails environment to determine the correct keys to use. I'm using the following structure.

development:
  # development keys...

staging:
  # staging keys...

production:
  # production keys...

Is it preferable to use a separate file for each environment?

@morgoth
Copy link
Member Author

morgoth commented Nov 30, 2017

@garrettqmartin8 The problem with this approach is that you're sharing credentials for all environments with the single encryption key, which for some might be a security concern.

Without setting custom credentials object it won't be possible to store secret_key_base in it, as this is how it's retrieved now https://github.com/rails/rails/blob/master/railties/lib/rails/application.rb#L427-L435

@blvrd
Copy link

blvrd commented Dec 1, 2017

Ah I see. That makes sense.

@kaspth
Copy link
Contributor

kaspth commented Dec 3, 2017

I'm not that fond of the proposed API. You could write a custom wrapper in your app that falls back to credentials in the production environment.

Or hell, the wrapper just does something like credentials.config.merge(encrypted("config/env-specific-file.enc").config). Thanks!

@kaspth kaspth closed this Dec 3, 2017
@morgoth
Copy link
Member Author

morgoth commented Dec 3, 2017

@kaspth Yes, that wouldn't be a problem. The issue currently is, that it's not possible to have secret_key_base encrypted in this file, as this is how Rails reads it https://github.com/rails/rails/blob/master/railties/lib/rails/application.rb#L427-L435

I would have to special case it and set SECRET_KEY_BASE env var only for this one (alongside RAILS_MASTER_KEY)

@morgoth morgoth mentioned this pull request Feb 2, 2018
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@kaspth kaspth

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@morgoth @blvrd @kaspth