Rails Master Key in Gitlab.com CI

Question

I am trying to set up gitlab.com continuous integration(CI) for one of my private projects. But rails db:migrate is failing with the following error:

ActiveSupport::EncryptedFile::MissingKeyError: Missing encryption key to decrypt file with. Ask your team for your master key and write it to /builds/shubh-muhurat/Backend/config/master.key or put it in the ENV['RAILS_MASTER_KEY']

The master key should not be there in the repository, but if I set RAILS_MASTER_KEY using .gitlab-ci.yml I have to commit the master key to the repository.

So is there a better way of putting the master key.

PS: I am using gitlab.com CI.

Version: Rails 5.2.0.beta2

score 11 · Accepted Answer · answered Apr 27 '18 at 17:44

11

I solved this by adding the master key to the projects secret variables and then injecting it during the before_script phase:

- echo "$MASTER_KEY" > config/master.key

answered Apr 27 '18 at 17:44

Pedro Coutinho

156
1
5

Be careful, Gitlab CI variables masking is not secure, it's a "best-effort" feature to prevent revealing accidentally a value, see https://docs.gitlab.com/ee/ci/variables/#mask-a-cicd-variable. – ZedTuX Mar 20 '23 at 08:10

score 1 · Answer 2 · answered Jul 13 '18 at 05:02

After doing a bit of research for finding the easiest way of declaring the variables, I came across the Variables section in GitLab. The Variables section is located under the repository CI/CD setting. There is also an option of making your variables protected.

score 0 · Answer 3 · answered May 12 '19 at 10:08

I have the same problem and solved it using a workaround by injecting a temporary dummy master.key and credentials.yml.enc while building the image. This allows my CI to use the dummy master.key without revealing the real key.

Workaround in Dockerfile

# Precompile assets
# We use dummy master.key and credentials.yml.enc to workaround the fact that
# assets:precompile needs them but we don't want the real master.key to be built
# into the container. We will inject RAILS_MASTER_KEY env var when starting the
# container.

RUN if [[ "$RAILS_ENV" == "production" ]]; then \
      mv config/credentials.yml.enc config/credentials.yml.enc.backup; \
      mv config/credentials.yml.enc.sample config/credentials.yml.enc; \
      mv config/master.key.sample config/master.key; \
      bundle exec rails assets:precompile; \
      mv config/credentials.yml.enc.backup config/credentials.yml.enc; \
      rm config/master.key; \
    fi

Rails Master Key in Gitlab.com CI

3 Answers3