I am having trouble getting my browserstack credentials to work on Travis. The credentials work locally if I don't encrypt the key and trigger the build from my local by just using environment variables.
I am using travis encrypt, which is instructed here: https://docs.travis-ci.com/user/browserstack/ but I am not sure I am using it correctly and am having difficulty finding documentation on the command.
If my browserstack key is foo, should the command be:
travis encrypt foo
travis encrypt BROWSERSTACK_ACCESS_KEY=foo
travis encrypt BROWSERSTACK_ACCESS_KEY="foo"
or something else? I am using the output of the command and putting it at the end of my .travis.yml like so:
addons:
browserstack:
username: "myusername"
access_key:
secure: "encryptedkey"
But I am consistently getting Browserstack access_key is invalid. in my Travis build.
Since Travis uses bash to evaluate this (iirc) you should use single quotes instead as bash will not expand special characters within single quotes. And you could probably also wrap the whole thing in double quotes for good measure, so this should work:
travis encrypt "BROWSERSTACK_ACCESS_KEY='foo'"
Also, if I understand your use of this secret correctly you should do something like this instead to configure the addon:
secure: "$BROWSERSTACK_ACCESS_KEY"
Related
I'm trying to deploy a rails 7 app to Fly.io, which uses Docker to deploy apps. I keep getting the below error when I try to deploy.
ActiveSupport::EncryptedFile::MissingKeyError: Missing encryption key to decrypt file with. Ask your team for your master key and write it to /app/config/credentials/production.key or put it in the ENV['RAILS_MASTER_KEY'].
I've tried putting the following into my docker file:
RUN --mount=type=secret,id=RAILS_MASTER_KEY \
RAILS_MASTER_KEY="$(cat /run/secrets/RAILS_MASTER_KEY)"
Then running:
fly deploy \
--build-secret RAILS_MASTER_KEY=the_actual_secret_key_here
That doesn't work. I've added the key as an environment variable to fly.io, but my understanding is this is failing because production keys aren't available at build time. Anyway, I'm stumped. Any ideas?
I'm new to docker, so it's likely I'm just missing something simple here.
I am relatively new to DBT and I have been reading about env_var and I want to use this in a couple of situations and I am having difficultly and looking for some support.
firstly I am trying to use it in my profiles.yml file to replace the user and password so that this can be set when it is invoked. When trying to test this locally (before implementing this on our AWS side) I am failing to find the right syntax and not finding anything useful online.
I have tried variations of:
dbt run --vars '{DBT_USER: my_username, DBT_PASSWORD=my_password}'
but it is not recognizing and giving nothing useful error wise. When running dbt run by itself it does ask for DBT_USER so it is expecting it, but doesn't detail how
I would also like to use it in my dbt_project.yml for the schema but I assume that this will be similar to the above, just a third variable at the end. Is that the case?
Thanks
var and env_var are two separate features of dbt.
You can use var to access a variable you define in your dbt_project.yml file. The --vars command-line option lets you override the values of these vars at runtime. See the docs for var.
You should use env_var to access environment variables that you set outside of dbt for your system, user, or shell session. Typically you would use environment variables to store secrets like your profile's connection credentials.
To access environment variables in your profiles.yml file, you replace the values for username and password with a call to the env_var macro, as they do in the docs for env_var:
profile:
target: prod
outputs:
prod:
type: postgres
host: 127.0.0.1
# IMPORTANT: Make sure to quote the entire Jinja string here
user: "{{ env_var('DBT_USER') }}"
password: "{{ env_var('DBT_PASSWORD') }}"
....
Then BEFORE you issue the dbt_run command, you need to set the DBT_USER and DBT_PASSWORD environment variables for your system, user, or shell session. This will depend on your OS, but there are lots of good instructions on this. To set a var for your shell session (for Unix OSes), that could look like this:
$ export DBT_USER=my_username
$ export DBT_PASSWORD=abc123
$ dbt run
Note that storing passwords in environment variables isn't necessarily more secure than keeping them in your profiles.yml file, since they're stored in plaintext and not protected from being dumped into logs, etc. (You shouldn't be checking profiles.yml into source control). You should consider at least using an environment variable name prefixed by DBT_ENV_SECRET_ so that dbt keeps them out of logs. See the docs for more info
The Travis docs say that the easiest way to encrypt keys eg. To upload to S3, is to use their command line tool.
Are there other ways to do this that doesn't involve installing Ruby etc just to use their command line tool?
There happens to be a Javascript method, and it's available here with the corresponding github repo here.
To use encrypted S3 keys is moderately confusing because the principles are not well explained in the Travis docs.
In the top left field of the form mentioned above you enter your Travis-CI userid/repo-name so this allows the script to pull down the public key for your repository that has been created by Travis.
In the right top field, you enter:
AWS_ACCESS_KEY_ID:...the..access..string..from..Amazon.IAM...
Click on Encrypt and copy the string generated below Encrypted Data
Then in the right top field, you enter:
AWS_SECRET_ACCESS_KEY:...the.very.secret.string.from.Amazon.IAM...
and again copy the encrypted string. Note that the encrypted strings change each time due to random data being included into the encrypted strings.
These encrypted key pairs are decrypted by Travis and exported as environment variables. You enter them in the .travis.yml file like this:
global:
# travis encrypt AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID
- secure: "--first-very--long-encrypted-string--="
# travis encrypt AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY
- secure: "--second--very-long-encrypted-string--="
- AWS_S3_BUCKET_NAME: yourbucketname
Now in the deploy section, you reference them by using the names you used for the encryption pair
deploy:
provider: s3
# these are set up in the global env
access_key_id: $AWS_ACCESS_KEY_ID
secret_access_key: $AWS_SECRET_ACCESS_KEY
bucket: $AWS_S3_BUCKET_NAME
skip_cleanup: true
upload-dir: travis-builds
If you had used the name ACCESS_ID in global env when you encrypted it, then in deploy you would refer to it as $ACCESS_ID
The upload-dir is created in the named bucket.
When your build runs in Travis, the decrypted keys are not exposed. Instead what you see is:
See https://docs.travis-ci.com/user/workers/container-based-infrastructure/ for details.
Setting environment variables from .travis.yml
$ export AWS_ACCESS_KEY_ID=[secure]
$ export AWS_SECRET_ACCESS_KEY=[secure]
$ export AWS_S3_BUCKET_NAME=yourbucketname
I'm trying to run a test with sauce labs + travis CI but no luck.
Here's where I think the issue is:
https://travis-ci.org/angulytics/angular-snitch/builds/50894194#L402
UnknownError: Sauce Labs Authentication Error.
You used username 'None' and access key 'None' to authenticate, which are not valid Sauce Labs credentials.
However, I have added the keys to my travis settings page. Also, it looks like Travis is in fact exporting them
https://travis-ci.org/angulytics/angular-snitch/builds/50894194#L80
$ export SAUCE_USERNAME=[secure]
$ export SAUCE_ACCESS_KEY=[secure]
So what's going on?
If it helps, you can check the rest of the protractor.conf here
https://github.com/angulytics/angular-snitch/blob/master/protractor.conf.js
I can't remember where exactly I found the answer, but I had to remove the seleniumAddress config option for reasons I don't really understand.
I'm currently trying to add a secret environment variable to Travis-CI. In the docs ("Secure environment variables") I found the following line to do this:
gem install travis
travis encrypt -r travis-ci/travis-core MY_SECRET_ENV=super_secret
If I understood this correctly I must replace travis-ci/travis-core with the name of my own repository, because the encryption should only be valid for my repository. Therefore, there must be a public key in the repository. Is there a special travis command to add this key? How does this exactly work? Or is this just my ssh public key?
When I run the following command:
travis encrypt -r my_username/my_repo MY_SECRET_ENV=super_secret
I get the following error:
There was an error while fetching public key, please check if you entered correct slug
This is a known issue. It already has a pull request on GitHub to fix it.
The problem is the request to get the public key of a repository does not work, because they changed the API to SSL. If you don't want to wait for the pull request to be merged, you can simply change the source to use https instead of http.