CODEWITHSUNDEEP
ruby-on-railsruby-on-rails-4
Ryzal Yusoff
Ryzal Yusoff

Reputation: 1047

What's the point of secrets.yml if I still have to load variables from environment?

I decided to use secrets.yml file as a way for me to easily transferring my variables to my app's production server. Once i open up the file, this is what I notice:

development:
  secret_key_base: 61a3857f1ddc140836......

test:
  secret_key_base: 6041df556cf0feb5e.....

# Do not keep production secrets in the repository,
# instead read values from the environment.
production:
  secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>

As you can see, for the production part, it says "Do not keep production secrets in the repository, instead read values from the environment"

I don't know about other people, but it's so obvious to me that if i do this, it will completely defeats the purpose of the secrets.yml itself. I want to use secrets.yml myself so that I do not have to set the environment variables one by one via the terminal on the production server anymore, but then if I still need to do this even if I am using the secrets.yml now, then whats the point?

Setting up and transferring variables from development to production process have been bugging me for a really long time. I have been trying to look everywhere but no one seems to be really clear about the process from start to finish. So, sorry if this seems like a stupid question.

Upvotes: 4

Views: 2103

Answers (3)

Brad Werth
Brad Werth

Reputation: 17647

It's just a yaml file. It can contain anything, particularly if you don't have it in version control.

Where I work, we do not include the secrets.yml in version control (I don't like managing ENV variables all over the place either). All of our staging and production machines only ever run in production mode. The secrets.yml file is automatically created if it is not present, as part of the deployment process. This is done without developer intervention, and the file is inaccessible to most users. The contents of the generated file look like this:

production:
  secret_key_base: some_big_random_secret_here

Upvotes: 1

Petr Gazarov
Petr Gazarov

Reputation: 3821

secrets.yml should not be used to keep production secret keys. The reason is that you don't want to commit them to version control. It is not safe.

There are a couple good benefits this file provides that you probably overlooked:

  1. You may actually need your secrets to be different values in different environments - using production keys in development mode may not be needed or desirable. E.g. AWS_BUCKET_NAME: development vs production

  2. Some of your code may rely on existence of secret keys, a nil value may break the program.

  3. It is helpful to have documentation of which keys exist on production, even if incorrect values.

Tip: you can set all env variables in terminal with one command. Just list them all.

config:set FIRST_SECRET=value SECOND_SECRET=value THIRD_SECRET=value ...

Upvotes: 2

Bharat soni
Bharat soni

Reputation: 2786

Rails generates a new secrets.yml file in the config folder. By default, this file contains the application's secret_key_base, but it could also be used to store other secrets such as access keys for external APIs.

The secrets added to this file are accessible via Rails.application.secrets. For example, with the following config/secrets.yml:

development:
  secret_key_base: 3b7cd727ee24e8444053437c36cc66c3
  some_api_key: SOMEKEY

Rails.application.secrets.some_api_key returns SOMEKEY in the development environment.

See the Upgrading Ruby on Rails guide on how to migrate existing applications to use this feature.

Refer Here For More Details

Upvotes: -1

Related Questions