RailsEnvCredentials

It enhances the Credentials feature introduced by Rails v5.2.0.

Installation

Add this line to your Rails application's Gemfile:

group :development, :test do
  gem 'rails-env-credentials'
end

And then execute:

$ bundle

Usage

RailsEnvCredentials manages credentials and key pairs with the following:

config/credentials-development.yml.enc
config/credentials-test.yml.enc
config/credentials.yml.enc
master-development.key
master-test.key
master.key

It also manages environment variables for each env.

RAILS_MASTER_KEY_DEVELOPMENT
RAILS_MASTER_KEY_TEST
RAILS_MASTER_KEY

You can use appropriate credentials depending on Rails.env.

$ rails env_credentials:show -e development
# config/credentials-development.yml.enc
aws:
  bucket: foo-dev

$ rails env_credentials:show -e production
# config/credentials.yml.enc
aws:
  bucket: foo-prod

$ rails runner -e development 'pp Rails.application.credentials.aws.bucket'
"foo-dev"
$ rails runner -e production 'pp Rails.application.credentials.aws.bucket'
"foo-prod"

Generating secrets and a master key

It automatically generate encrypted file and the master key when you starts editing credentials at first:

$ rails env_credentials:edit -e development

Show secrets

You want to see decrypted contents, use env_credentials:show:

$ rails env_credentials:show -e development

Additional information

Other environments support

For example, if the config/environments/staging.rb exists, you will generate config/credentials-staging.yml.enc.

$ rails env_credentials:edit -e staging

Display a diff

You can’t directly compare encrypted files between two versions, but it turns out you can see a diff using Git attributes.

Put the following line in your .gitattributes file:

config/credentials*.yml.enc diff=env_credentials

Then configure Git to use env_credentials:show:

$ git config diff.env_credentials.textconv 'rails env_credentials:show --file'

This tells Git that encrypted files should decrypt by the env_credentials:show task when you try to display a diff.

Why make this gem?

Credentials is a good feature, but we cannot use it on development and test environment.

DHH wrote as follow in the pull request for initial implementation:

It's only in production (and derivative environments, like exposed betas) where the secret actually needs to be secret.

refs: rails/rails#30067

However, I have to manage secrets and a master key different from production for testing in the staging environment.

I do not have the confidence to explain explicit use cases to Rails team, so I implemented as a gem.

Development

After checking out the repo, run bin/setup to install dependencies. Then, run rake spec to run the tests. You can also run bin/console for an interactive prompt that will allow you to experiment.

To install this gem onto your local machine, run bundle exec rake install. To release a new version, update the version number in version.rb, and then run bundle exec rake release, which will create a git tag for the version, push git commits and tags, and push the .gem file to rubygems.org.

Contributing

Bug reports and pull requests are welcome on GitHub at https://github.com/sinsoku/rails-env-credentials. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the Contributor Covenant code of conduct.

License

The gem is available as open source under the terms of the MIT License.

Code of Conduct

Everyone interacting in the Rails::Env::Credentials project’s codebases, issue trackers, chat rooms and mailing lists is expected to follow the code of conduct.