1

It's common practice on Heroku to have environment variables hold sensitive credentials so that one doesn't need to check in a passsword file into git.

Is there something similar for IronWorkers? How should one go about passing db connection strings to an IronWorker that has to connect to a database? Ideally, I would like to avoid having usernames and passwords in database.yml.

eg:

$ heroku config

HEROKU_POSTGRESQL_CYAN_URL: postgres://mmuxxxxxxxnhzp:X0JdWLxxxcJQ4ffO0xTjO6scJr@ec2-23-23-214-251.compute-1.amazonaws.com:5432/de11tlh7iq999x

$ heroku config:set SOMEVAR=somevalue

SOMEVAR=somevalue

Any help would be appreciated!

Thanks, Dimitri

dimroc
  • 1,172
  • 1
  • 16
  • 26

2 Answers2

1

1) Merge config file into package

2) upload worker with --worker-config flag.e.g. iron_worker upload hello.worker --worker-config cfg.json and use config helper inside worker.

3) Pass connection data via payload

thousandsofthem
  • 1,355
  • 10
  • 9
  • It looks like we'll be opting for 3) but passing this payload via the REST API from our production servers. (http://dev.iron.io/worker/reference/api/#queue_a_task) Is there more documentation on 2), specifically the `config` helper inside the worker? – dimroc Oct 09 '13 at 16:08
  • The config helper is for the config you can set for all of your tasks while uploading your worker (#2 in @thousandsofthem 's response). – Travis Reeder Oct 09 '13 at 16:28
1

Funny you should ask, an IronCast just went out yesterday on our blog about connecting to databases from your IronWorker's:

http://blog.iron.io/2013/10/ironcast-4-how-to-connect-to-your.html

To pass it in the payload:

@client.tasks.create("pygments",
                     "database" => Rails.configuration.database_configuration[Rails.env],
                     "request" => {"lang" => @snippet.language,
                     "code" => @snippet.plain_code},
                     "snippet_id" => @snippet.id)

Then to use it in your worker:

ActiveRecord::Base.establish_connection(params['database'])
Travis Reeder
  • 38,611
  • 12
  • 87
  • 87
  • Thanks for the video tutorial! As stated in the question though, I would like to avoid placing the credentials in a text file that I would probably check in, which is what's done in the video for example_connection.rb. I'm happy with sending it in the payload when creating the task via the client library/API. – dimroc Oct 09 '13 at 22:30
  • Ahh, didn't realize the video was different. The code example in the text part of the post passes it via the payload (updated my answer to show it). – Travis Reeder Oct 09 '13 at 22:37
  • Hi @dimroc, the example_connection.rb was actually a demonstration of how ActiveRecord::Base.establish_connection({params}) works. We recommend passing in your credentials as a payload from the controller. We definitely don't recommend checking your credentials into git! – samol Oct 10 '13 at 06:39
  • @SidneySidaZhang what are the security ramifications? Will the parameters get stored in e.g. log files? Which approach is more secure (payload or --worker-config)? – Dax Fohl Oct 11 '13 at 18:03
  • @DaxFohl Sending credentials via payloads to not reach log files and the UI since they get filtered, with the ultimate output being connectionstring: [FILTERED]. Payload is definitely preferred over a checked in worker config. You can see more here: http://dev.iron.io/worker/reference/payload/#payload_filtering_in_the_hud – dimroc Oct 23 '13 at 14:43