sajad torkamani

How to store sensitive credentials in Rails

11 March 2022 (Updated 11 March 2022)
On this page
Store credentials
Access credentials
Raise error if credential is missing
Sources

Store credentials

You can store sensitive credentials such as API keys in the encrypted file config/credentials.yml.enc. Run:

./bin/rails credentials:edit

By default, this should open up a file that looks like this:

 # aws:
  #   access_key_id: 123
  #   secret_access_key: 345
   
   # Used as the base secret for all MessageVerifiers in Rails, including the one protecting cookies.
  secret_key_base: some-secret-here

Rails will use config/master.key or the environment variable RAILS_MASTER_KEY to encrypt this file. Make sure you save the contents config/master.key somewhere (e.g., LastPass) and keep it out of Git.

Access credentials

Given this decrypted config/credentials.yml.enc:

secret_key_base: 3b7cd72...
some_api_key: SOMEKEY
system:
  access_key_id: 1234AB

Rails.application.credentials.some_api_key returns "SOMEKEY" and Rails.application.credentials.system.access_key_id returns 1234AB.

Raise error if credential is missing

Rails.application.credentials.some_api_key! # => KeyError: :some_api_key is blank

Notice the the ! suffix.

You can also do this for nested attributes:

Rails.application.credentials.smtp!.development!.password!,

Sources

Tagged: Rails

Leave a comment

Your email address will not be published. Required fields are marked *