Rafe Draper
Rafe Draper's Blog

Follow

Rafe Draper's Blog

Follow
Using credentials in Rails 6

Using credentials in Rails 6

Rafe Draper's photo
Rafe Draper
·Apr 14, 2020·

min read

Here is the thing, a couple of days ago I was trying to configure devise gem on my Rails 6 application, this lead me to have some research about how can I add credentials in order to use it properly with the OmniAuth method that is also available through devise. This lead me to have a conversation with my mentor and asked how can I change my credentials since this was not working on production, but... it was working locally.

config/initializers/devise.rb :

 # ==> OmniAuth
 # Add a new OmniAuth provider. Check the wiki for more information on setting
 # up on your models and hooks.
 # config.omniauth :github, 'APP_ID', 'APP_SECRET', scope: 'user,public_repo'
  config.omniauth :google_oauth2,
                  Rails.application.credentials.dig(:google, :google_client_id),
                  Rails.application.credentials.dig(:google, :google_client_secret),
                  scope: 'userinfo.email, userinfo.profile',
                  skip_jwt: true

So I had to change the scope of the credentials to also be reachable on deployment. This lead me to find out the new way Rails 6 handles the credentials.yml.enc file on your application.

Before, and as I learned from my mentor, with the command (Rails 5.1)

rails secrets:edit

was enough to get through the configuration, but after Rails 5.2 secrets was replaced with credentials.

How did I updated them now?

First I added a new credentials files to be handled in production. This is available in Rails 6! by doing:

$ rails credentials:edit --environment production

The above command does the following: (do not commit this files)

  • Creates config/credentials/production.key if missing.
  • Creates config/credentials/production.yml.enc if missing.
  • Decrypts and opens the production credentials file in the default editor.

Now we have a production.key available which WE WILL ONLY SHARE WITH OUR trusted team members.

Now we can add the credentials and save them:

aws:
  access_key_id: <your keys goes here>
  secret_access_key: <your keys goes here>

Save the changes and now we can check in our console with the command:

$ RAILS_ENV=production rails c
> Rails.application.credentials.config
#=> {:aws=>{:access_key_id=>"1f3649fe-ebbd-11e9-81b4-2a2ae2dbcce4", 
:secret_access_key=>"--your key will appear here"}}
> Rails.application.credentials.aws[:access_key_id]
#=> "--your key will appear here"

Finally I added for the Heroku deployment my production key:

# Setting master key on Heroku 
heroku config:set RAILS_MASTER_KEY=`cat config/credentials/production.key`

We can either use the generic environment variables RAILS_MASTER_KEY or an specific like RAILS_PRODUCTION_KEY.

 
Share this