Moving to credentials.yml.enc from ENV on production - ruby-on-rails

In our old rails app we used ENV['AUTH0_ID'] to manage environment variables.
In our new app we're using Rails.application.credentials.auth0[:AUTH0_ID]
But now in deploying, how do we provide Heroku with the environment variables?
Is it the case that we give Heroku the key we use to decrypt development.yml.enc (in our development env) and that will decrypt the yml?
If that's the case, whats the syntax for giving Heroku the development.key?

Related

Setting Rails Credentials For Production Mode

I am trying to store my stripe live key via Credentials as shown in the Securing Rails Application Guide: https://guides.rubyonrails.org/security.html#custom-credentials
I'm not sure what I'm doing wrong, the keys are written to the credentials file and in the test and development environments they work but when pushing to production I get errors that say my API Keys are not set. Here are what my credentials file and production config look like:
Credentials file ->
stripe_live: xxx.xxx.xxx
config/environments/production:
Stripe.api_key = Rails.application.credentials.stripe_live
I've also tried setting the keys with this command
rails credentials:edit --environment production and still no luck in the production environment.
How do I set rails credentials for the production environment? Do I need to set the RAILS_MASTER_KEY as an env variable in my production environemtn?
Set RAILS_MASTER_KEY to the string located within config/master.key . Rails automatically will use this value to decrypt your credentials file. A separate credentials file is optional, but if you do chose to use the separate credentials file you need to be sure that you use that key for the RAILS_MASTER_KEY env variable.

Heroku sets SECRET_KEY_BASE when it's not defined

I want Heroku to not set SECRET_KEY_BASE so I can use the one from credentials, but despite me deleting it from the UI, verifying it doesn't exist by running heroku config, I still get it set as an environment variable on my dynos. And it's the same in all the dynos:
SECRET_KEY_BASE=d2753b472abb...
I also tried setting it to a blank string by running heroku config:set SECRET_KEY_BASE="" and Heroku insist on setting it up as I can see by running bash and then env within bash.
How can I prevent that from happening?
Unfortunately, the Heroku Ruby buildpack generates and sets SECRET_KEY_BASE via the shell if it doesn't exist in your Heroku config vars.
It currently doesn't seem possible to directly use the secret key set in credentials.yml. You could make credentials.yml and SECRET_KEY_BASE align though.
Source: https://github.com/heroku/heroku-buildpack-ruby/issues/1143
And here is a short extract from that issue:
If you set your own SECRET_KEY_BASE, we do nothing.
If you do not set a SECRET_KEY_BASE we generate and set one for you.
We recommend using our heroku config interface for storing secrets rather than using the encrypted file storage that ships with rails.
If you want to use encrypted file storage locally with rails you could copy our secret key base heroku run echo $SECRET_KEY_BASE or you can set your own
value manually locally and then again via heroku config.

Why is secret_key_base blank on Heroku (Rails 5.2)

I deleted secrets.yml and created credentials.yml.enc.
Locally I am using master.key, and in production I don't have any master key, only a RAILS_MASTER_KEY set as an environment variable.
On Heroku, if I run Rails.application.secrets I get:
{:secret_key_base=>nil, :secret_token=>nil}
and if I run Rails.application.credentials I do in fact see my secret_key_base.
However, locally... if I run the same commands, I DO see secret_key_base when calling Rails.application.secrets.
My main concern is that rails is going to have an empty secret_key_base in production which would be used to encrypt sessions and all kinds of critically important security things. I'm trying to verify that it actually does have the key set.
I'd love a way to 100% confirm that it's working in production, and that it's not blank. Is there some method I can call to check which doesn't rely on calling it via the methods above?
The SECRET_KEY_BASE is stored as an environment variable on Heroku. You can either view these in the interface by going to the settings for that dyno or you can do it in the terminal:
heroku run bash
then
env | grep SECRET_KEY_BASE
If you do not see it there may be an issue but you can generate a new one for Heroku and set it in the environment variables (see Rails.application.key_generator)

could not get Environment variable in staging server in rails 3 and capistrano 2.15

I am working on rails 3 application . I use capistran 2 for deploying purpose on digital ocean.
Now, I want to store the clients gmail username and password.
I do not want to store it into the code as it is sensitive information.
I want to store it to the server environment variable .
so I make env. variable by following command
export NEW_VAR="Testing export"
I checked it by following command and its saved as env. variable
echo $NEW_VAR
Now I want to access it in my rails application at environment folder in staging.rb and production.rb
I try to use the dotenv gem but it gives me difficulty in getting the env. variable as I am using capistrano 2.
Please help me.
Thanks
Use Figaro gem. Its pretty easy to setup. https://github.com/laserlemon/figaro

getting error on production related to config.yml

I am trying to push a app on heroku, Its gets pushed but none of my assets gets uploaded on heroku.
Its works all good locally. So I check with rails s -e --production and It gives me error in secrets.yml
It says
Missing secret_token and secret_key_base for '--production' environment, set these values in config/secrets.yml
I am not sure what It is. Please help..
I believe that for a heroku app to run in production Rails expects the secret configuration to exist. Remove the line within your .gitignore that prevents secrets.yml from updating within version control and then make sure you use ENV variables for your secret tokens. If you don't have any secret tokens that aren't just tests then you shouldn't have to worry about it, but if you do you can use gems like figaro to configure your Environment variables that will keep your tokens off VCM.
Edit: If you look within your config directory you should see a secrets.yml that was generated with your app. Within the app you should see your secret_key_base variables within dev, test, and production. Within production though you should have:
# Do not keep production secrets in the repository,
# instead read values from the environment.
production:
secret_key_base: <%= ENV["SECRET_KEY_BASE"] %> <- This being your Environment variable

Resources