Where to store AWS keys in Rails?

Question

Is database.yml the right place to read the AWS keys from bashrc? database.yml sounds like a place only for database configs. Is there a more appropriate place where the AWS configs from bashrc could be read inside my Rails app?

Answer 1

Rails 5.2 onwards

Rails 5.2 has introduced the concept of encrypted credentials. Basically, from Rails 5.2 onwards, there is an encrypted credentials file that is generated on initializing the app in config/credentials.yml.enc. This file is encrypted, and hence, can be pushed to your source control tool. There is also a master.key file which is generated while initializing the app, which can be used to decrypt the credentials file, and make changes to it.

So, credentials for AWS could be added to it as:

aws:
  access_key_id: 123
  secret_access_key: 345

These keys could be accessed in your app as Rails.application.credentials.aws[:secret_access_key]. Other sensitive config, like credentials to other external services that are being used, can also be added to this config. Check out this blog by Marcelo Casiraghi for more details.

Pre Rails 5.2

There was no concept of a credentials system prior to Rails 5.2. There are a couple of ways in which you could try to come up with a solution to store your configuration.

A. You could create a YAML file for defining your config from scratch.

• Create a file called my_config.yml and place it in the config folder. Path: config/my_config.yml
• Add whatever configuration is required to the file, in YAML format (s described for AWS above)
• Make changes in application.rb to load this file during initialization as follows:

  APP_CONFIG = YAML.load(ERB.new(File.new(File.expand_path('../my_config.yml', __FILE__)).read).result)[Rails.env] rescue {}

• Using this approach, you will then be able to use APP_CONFIG['aws']['access_key_id'] for the AWS configuration defined above. For this use case, it is strongly recommended to have separate configuration files for development and production environments. The production file should probably not be checked in to version control for security.

B. Another approach would be to use some gems for managing configurations like railsconfig/config

NOTE: To answer the bit about storing this configuration in database.yml, it is strongly recommended to not do so. database.yml is a configuration file for storing configuration related to databases. Separation of concerns really helps while scaling any application, and hence, it is recommended to place such configurations in a separate file, which can be independently maintained, without any reliance on the database config.

Answer 2

Absolutely. The standard place to configure things like AWS would be inside config/initializers. You can create a file in there called aws.rb.

app/
bin/
config/
|__ initializers/
    |__ aws.rb

and inside this file you can configure your AWS setup using the environment variables from your bashr

Aws.config.update({
   credentials: Aws::Credentials.new('your_access_key_id', 'your_secret_access_key')
})

Files inside this directory are executed on app start, so this configuration will be executed right when your app starts, before it starts handling requests.

It may also be useful to note that the AWS SDK for Ruby will automatically search for specific environment variables to configure itself with. If that's what you're using, and if you have the following environment variables set up in your bashrc

• AWS_ACCESS_KEY_ID
• AWS_SECRET_ACCESS_KEY

then you won't need any additional code in your Rails app to configure AWS. Check out more details here.