How to encrypt your Travis keys - travis-ci

The Travis docs say that the easiest way to encrypt keys eg. To upload to S3, is to use their command line tool.
Are there other ways to do this that doesn't involve installing Ruby etc just to use their command line tool?

There happens to be a Javascript method, and it's available here with the corresponding github repo here.
To use encrypted S3 keys is moderately confusing because the principles are not well explained in the Travis docs.
In the top left field of the form mentioned above you enter your Travis-CI userid/repo-name so this allows the script to pull down the public key for your repository that has been created by Travis.
In the right top field, you enter:
AWS_ACCESS_KEY_ID:...the..access..string..from..Amazon.IAM...
Click on Encrypt and copy the string generated below Encrypted Data
Then in the right top field, you enter:
AWS_SECRET_ACCESS_KEY:...the.very.secret.string.from.Amazon.IAM...
and again copy the encrypted string. Note that the encrypted strings change each time due to random data being included into the encrypted strings.
These encrypted key pairs are decrypted by Travis and exported as environment variables. You enter them in the .travis.yml file like this:
global:
# travis encrypt AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID
- secure: "--first-very--long-encrypted-string--="
# travis encrypt AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY
- secure: "--second--very-long-encrypted-string--="
- AWS_S3_BUCKET_NAME: yourbucketname
Now in the deploy section, you reference them by using the names you used for the encryption pair
deploy:
provider: s3
# these are set up in the global env
access_key_id: $AWS_ACCESS_KEY_ID
secret_access_key: $AWS_SECRET_ACCESS_KEY
bucket: $AWS_S3_BUCKET_NAME
skip_cleanup: true
upload-dir: travis-builds
If you had used the name ACCESS_ID in global env when you encrypted it, then in deploy you would refer to it as $ACCESS_ID
The upload-dir is created in the named bucket.
When your build runs in Travis, the decrypted keys are not exposed. Instead what you see is:
See https://docs.travis-ci.com/user/workers/container-based-infrastructure/ for details.
Setting environment variables from .travis.yml
$ export AWS_ACCESS_KEY_ID=[secure]
$ export AWS_SECRET_ACCESS_KEY=[secure]
$ export AWS_S3_BUCKET_NAME=yourbucketname

Related

How to store a file as bitbucket pipeline variable?

I'm using bitbucket pipelines and I need to store the .env file (for example) as a variable so that I can use it in my deployment. When I stored it as a plain text variable it echoed as a single line text and the app couldn't use it.
If your file contains linebreaks, they will be mangled by the input field in the pipeline variables page.
A solution is to encode the file content with base64 and decode the variable when writing it back to a file.
base64 < .env
pipelines:
default:
- step:
script:
- echo $MYVAR | base64 --decode > .env
Beware that if your file contains secrets and mark the base64-encoded variable as secret, you will loose a security feature that prevents accidental prints of its value in the pipeline logs. See Bitbucket: Show value of variables marked as secret

DBT - environment variables and running dbt

I am relatively new to DBT and I have been reading about env_var and I want to use this in a couple of situations and I am having difficultly and looking for some support.
firstly I am trying to use it in my profiles.yml file to replace the user and password so that this can be set when it is invoked. When trying to test this locally (before implementing this on our AWS side) I am failing to find the right syntax and not finding anything useful online.
I have tried variations of:
dbt run --vars '{DBT_USER: my_username, DBT_PASSWORD=my_password}'
but it is not recognizing and giving nothing useful error wise. When running dbt run by itself it does ask for DBT_USER so it is expecting it, but doesn't detail how
I would also like to use it in my dbt_project.yml for the schema but I assume that this will be similar to the above, just a third variable at the end. Is that the case?
Thanks
var and env_var are two separate features of dbt.
You can use var to access a variable you define in your dbt_project.yml file. The --vars command-line option lets you override the values of these vars at runtime. See the docs for var.
You should use env_var to access environment variables that you set outside of dbt for your system, user, or shell session. Typically you would use environment variables to store secrets like your profile's connection credentials.
To access environment variables in your profiles.yml file, you replace the values for username and password with a call to the env_var macro, as they do in the docs for env_var:
profile:
target: prod
outputs:
prod:
type: postgres
host: 127.0.0.1
# IMPORTANT: Make sure to quote the entire Jinja string here
user: "{{ env_var('DBT_USER') }}"
password: "{{ env_var('DBT_PASSWORD') }}"
....
Then BEFORE you issue the dbt_run command, you need to set the DBT_USER and DBT_PASSWORD environment variables for your system, user, or shell session. This will depend on your OS, but there are lots of good instructions on this. To set a var for your shell session (for Unix OSes), that could look like this:
$ export DBT_USER=my_username
$ export DBT_PASSWORD=abc123
$ dbt run
Note that storing passwords in environment variables isn't necessarily more secure than keeping them in your profiles.yml file, since they're stored in plaintext and not protected from being dumped into logs, etc. (You shouldn't be checking profiles.yml into source control). You should consider at least using an environment variable name prefixed by DBT_ENV_SECRET_ so that dbt keeps them out of logs. See the docs for more info

How to deal with merge conflicts in rails ENCRYPTED credential files

With rails 6 (or 5.2) encrypted credentials, I am running into difficulty managing and resolving merge conflicts in the credentials.yml.enc file. As is outlined in the documentation, the intention is that encrypted credentials can be added to source control (https://guides.rubyonrails.org/security.html#custom-credentials)
E.g.
branch_a adds credentials for service a and gets merged to master
branch_b adds credentials for service b and when rebasing, the conflict in the credentials.yml.enc file looks something like this:
<<<<<<< HEAD
sahdkajshdkajhsdkjahsdkjahsdkajhsdkjahsdkjahdskjahsdjkahsdencryptedstring-a09dpjmcas==
=======
laskdjalksjdlakjsdlaksjdlakjsdlaksjdlakjsdlajsdlkajsdlkjasdljalsdajsdencryptedstringrere=
>>>>>>> branch_b
I can view the unencrypted credentials.yml.enc on each branch and resolve conflicts quite manually but is there a better way to go about managing credentials generally in order to avoid these credential conflicts.
I don't believe there is a better way, no.
Because of the nature of the encryption, there is no way to resolve it in it's encrypted state. If that was possible it would imply that you can somehow know the values and keys of the file in the encrypted state.
When you do your merge, you should resolve any conflicts in the source file, and then rerun the command that generates the encrypted file, then complete your merge.
It is possible. From the rails credentials usage:
=== Set up Git to Diff Credentials
Rails provides `rails credentials:diff --enroll` to instruct Git to call `rails credentials:diff`
when `git diff` is run on a credentials file.
Running the command enrolls the project such that all credentials files use the
"rails_credentials" diff driver in .gitattributes.
Additionally since Git requires the driver itself to be set up in a config file
that isn't tracked Rails automatically ensures it's configured when running
`credentials:edit`.
Otherwise each co-worker would have to run enable manually, including on each new
repo clone.
If you don't have rails credentials:diff...
It is possible to merge them, but you will have to decrypt them.
When dealing with merge conflicts, you can run git mergetool and it should generate 4 files:
config/credentials.yml_BACKUP_84723.enc
config/credentials.yml_LOCAL_84723.enc
config/credentials.yml_BASE_84723.enc
config/credentials.yml_LOCAL_84723.enc
You may need to run git mergetool in one terminal window, and in another, run this script:
Note that this will expose your credentials on the local machine.
# Temporarily move credentials file to another location
mv config/credentials.yml.enc ~/Desktop/credentials_temp.yml.enc
# Copy local file to original location
cp config/credentials.yml_LOCAL_* config/credentials.yml.enc
# Decrypt and send decrypted credentials to desktop
rails credentials:show > ~/Desktop/credentials_local.yaml
# Delete the copied local file
rm config/credentials.yml.enc
# Copy remote file to original location
cp config/credentials.yml_REMOTE_* config/credentials.yml.enc
# Decrypt and send decrypted credentials to desktop
rails credentials:show > ~/Desktop/credentials_remote.yaml
# Delete the copied remote file
rm config/credentials.yml.enc
# Move credentials file back
mv ~/Desktop/credentials_temp.yml.enc config/credentials.yml.enc
# See diffs or open both
diff ~/Desktop/credentials_local.yaml ~/Desktop/credentials_remote.yaml
# Delete the decrypted files
rm ~/Desktop/credentials_local.yaml ~/Desktop/credentials_remote.yaml
Local is on the left. Remote is on the right.
Enjoy.
Generally it is recommended to ignore credentials in version control i.e. .gitignore and configure them via environment variable.

How do I use travis encrypt to encrypt browserstack key?

I am having trouble getting my browserstack credentials to work on Travis. The credentials work locally if I don't encrypt the key and trigger the build from my local by just using environment variables.
I am using travis encrypt, which is instructed here: https://docs.travis-ci.com/user/browserstack/ but I am not sure I am using it correctly and am having difficulty finding documentation on the command.
If my browserstack key is foo, should the command be:
travis encrypt foo
travis encrypt BROWSERSTACK_ACCESS_KEY=foo
travis encrypt BROWSERSTACK_ACCESS_KEY="foo"
or something else? I am using the output of the command and putting it at the end of my .travis.yml like so:
addons:
browserstack:
username: "myusername"
access_key:
secure: "encryptedkey"
But I am consistently getting Browserstack access_key is invalid. in my Travis build.
Since Travis uses bash to evaluate this (iirc) you should use single quotes instead as bash will not expand special characters within single quotes. And you could probably also wrap the whole thing in double quotes for good measure, so this should work:
travis encrypt "BROWSERSTACK_ACCESS_KEY='foo'"
Also, if I understand your use of this secret correctly you should do something like this instead to configure the addon:
secure: "$BROWSERSTACK_ACCESS_KEY"

Amazon ElasticBeanstalk: configure environment variable with newlines

I want to add environment variable with newlines to my application using ElasticBeanstalk such as RSA private key. I have the following form for this purpose:
and AWS CLI as well.
I didn't want to add a key file to my build, as we build from git, and keys in version control can be a security hazard, so I used this workaround instead:
# From your shell: Base64 encode the RSA private key file
# -w 0 disables wrapping, we don't want new lines
base64 -w 0 id_rsa
Base64 encoded data doesn't have newlines, so you can use the output directly as an ElasticBeanstalk environment variable. You can then use this variable inside your application like so:
# From the shell
echo "$SSH_PRIVATE_KEY" | base64 --decode - > .ssh/id_rsa
# Or just decode it with some other programming language of your choice
This way, you don't have to include the file that you're referencing into your build, but you can contain the key completely in the environment variable.

Resources