2

I'm working on a Rails application and I am attempting to organize my secret_key_base and related important secrets (Think API keys, database credentials, etc.)

I am trying to find a way to setup something like the following, under /config

/config
credentials.yml.enc
master.key

/config/credentials
development.yml.enc
development.key
production.yml.enc
production.key
test.yml.enc
test.key

First Question: Is it that secret_key_base exists in /config/credentials.yml.enc, which is loaded (first?) and then the credentials are loaded for the environment rails is running in? Or should I create a different secret_key_base for each environment?

Second Question: No matter what I do, when I run in development or test, tmp/development_secret loads first. In addition, whenever I try to access my secrets in development, (Rails.application.secret_key_base) as referenced here: What's the correct way of defining secret_key_base on Rails 6, I run into an issue where I only ever receive nil when looking for secrets I've defined in my development.yml.enc, which I assume is because it's not loading anything in that file, it's going to tmp/development_secret and not finding anything else (Maybe I'm wrong.)

Goals:

  • Stop tmp/development_secret from being created, and instead access secrets using the specific .yml.enc file depending on the environment.
  • Understand why /config/credentials.yml.enc exists if it doesn't load in all the environments. If it doesn't, then it isn't clear when it loads.

Why?

  • Using config/database.yml as an example, I want to store different creds for each environment, but none of them in version control. (I want nobody but a few to have production.) However, I want to access them the exact same way in all of my environments. Not having creds load in production because of an issue with a .yml file will crash my app, so I don't want to load them differently in test/development.
  • Put together a blog post about this because searching for documentation on this feature is painful. It's a really easy thing because then only the master.key, and production.key would need loaded as ENV variables which is great. (Or possibility just one of them.)

This really should be a simple, out-of-the-box thing, but it's hard to find real documentation on best practices.

Aaron
  • 667
  • 4
  • 19

1 Answers1

1

I've found the answer, at least the one I'm looking for. You can have your initializer load whatever file you want by overriding the defaults.

  config.credentials.content_path = 'config/credentials/development.yml.enc'
  config.credentials.key_path = 'config/credentials/development.key'

https://edgeapi.rubyonrails.org/classes/Rails/Application.html

Aaron
  • 667
  • 4
  • 19