I have developed application in ROR,
My security.yml file have following entries,
admin_name: *****
admin_email: user#example.com
admin_password: *****
domain_name: ******
secret_key_base: *****
email_provider_username: ****
email_provider_password: ******
How to add these entries on heroku configration ?
I would read sensitive data from the environment.
Change your yaml files to something like this:
admin_name: <%= ENV['ADMIN_NAME'] %>
Then set the config with the Heroku cmd:
$ heroku config:set ADMIN_NAME=your_admin_name
Read the Heroku docs about config vars.
Related
I'm following the 'Running Rails on the Cloud Run environment' instructions and have hit a snag. I used their provided github repo and the google cloud shell and I had success in launching the working application.
Now, I am trying to integrate Cloud Run into my rails template. While 'Deploying the app to Cloud Run' using the cloudbuild.yaml file provided, the build crashes during database migration. I am using postgreSQL. Here are the error details:
The error
"bundle exec rails db:migrate" ->
"ActiveRecord::ConnectionNotEstablished: could not connect to server: No such file or directory"
I think I've traced it to database.yml file where Google recommends this host:
production:
<<: *default
database: <%= ENV["PRODUCTION_DB_NAME"] %>
username: <%= ENV["PRODUCTION_DB_USERNAME"] %>
password: <%= Rails.application.credentials.gcp[:db_password] %>
host: "<%= ENV.fetch("DB_SOCKET_DIR") { '/cloudsql' } %>/<%= ENV["CLOUD_SQL_CONNECTION_NAME"] %>"
It is unclear where this ENV.fetch("DB_SOCKET_DIR") comes from [at least to me, I'm new]. Their git repo holds a folder where I found templates for another build that included an app.standard.yaml and a config/database_unix.yml that I've tried integrating.
app.standard.yaml:
entrypoint: bundle exec rackup --port $PORT
runtime: ruby27
env_variables:
SECRET_KEY_BASE: <SECRET_KEY>
RAILS_ENV: production
INSTANCE_UNIX_SOCKET: /cloudsql/<PROJECT-ID>:<INSTANCE-REGION>:<INSTANCE-NAME>
DB_USER: <YOUR_DB_USER_NAME>
DB_PASS: <YOUR_DB_PASSWORD>
DB_NAME: <YOUR_DB_NAME>
beta_settings:
cloud_sql_instances: <PROJECT-ID>:<INSTANCE-REGION>:<INSTANCE-NAME>
database_unix.yml:
# [START cloud_sql_postgres_activerecord_connect_unix]
unix: &unix
adapter: postgresql
# Configure additional properties here.
# [END cloud_sql_postgres_activerecord_connect_unix]
pool: 5
timeout: 5000
# [START cloud_sql_postgres_activerecord_connect_unix]
# Note: Saving credentials in environment variables is convenient, but not
# secure - consider a more secure solution such as
# Cloud Secret Manager (https://cloud.google.com/secret-manager) to help
# keep secrets safe.
username: <%= ENV["DB_USER"] %> # e.g. "my-database-user"
password: <%= ENV["DB_PASS"] %> # e.g. "my-database-password"
database: <%= ENV.fetch("DB_NAME") { "vote_development" } %>
# Specify the Unix socket path as host
host: "<%= ENV["INSTANCE_UNIX_SOCKET"] %>"
# [END cloud_sql_postgres_activerecord_connect_unix]
development:
<<: *unix
# Warning: The database defined as "test" will be erased and
# re-generated from your development database when you run "rake".
# Do not set this db to the same as development or production.
test:
<<: *unix
pool: <%= ENV.fetch("RAILS_MAX_THREADS") { 1 } %>
database: <%= ENV.fetch("DB_NAME") { "vote_test" } %>
production:
<<: *unix
database: <%= ENV.fetch("DB_NAME") { "vote_production" } %>
Some other solutions I've seen mention this instead of host:
socket: “/cloudsql/project_id:us-central1:photo-album-production”
I tried this with no luck. I cloned the repo to my machine and re-tried the Cloud Run instructions. No success this time as it's getting the same migration error. Am I thinking about this wrong?
Check this out: https://cloud.google.com/sql/docs/postgres/connect-build.
In short, you'll need to run the Cloud SQL Auth Proxy to create a Unix socket in Cloud Build so your app can connect.
If you're using a private IP instance, you'll need to make sure you're using private pools.
Rails 6
I created the credentials file, as follows:
EDITOR=vi rails credentials:edit
production:
mysql:
db: acme-production
user: deploy
password: xxxxxxxxxxxx
smartagent:
token: lnroftb7sgr8c7f1ogqvij24xl
test:
mysql:
db: acme-test
user: deploy
password: xxxxxxxxxxxx
smartagent:
token: lnroftb7sgr8c7f1ogqvij24xl
secret_key_base: xxxxxxxxxxxxxx
master.key is in the correct place (in the config folder, locally, and as an environment setting on the server).
I am having trouble with the smartagent token.
When I do:
rails c
and
Rails.application.credentials.dig(Rails.env.to_sym, :mysql, :db)
I get:
=> "acme-test"
However, when I do:
Rails.application.credentials.dig(Rails.env.to_sym, :smartagent, :token)
I get:
=> nil
Any idea why this might be happening?
Solution:
I deleted the credentials file, re-populated it, and restarted the Rails app. That fixed the problem, so this must have been either an indentation issue (spaces vs tabs), or that the server had not restarted properly, after earlier changes were made
I've been spending hours on this but cannot come up with any solutions. I've scoured the docs to see what I'm missing but can't find anything.
I'm using JWT and ActiveStorage with Amazon S3. I need to hide this keys before I can commit to Github. Following many examples, here's how my credentials.yml.enc file looks:
amazon:
key: <my access key for AWS S3>
secret: <my secret id for AWS S3>
jwt: <my jwt token encode/decode password>
I save this then in my storage.yml file I have:
test:
service: Disk
root: <%= Rails.root.join("tmp/storage") %>
local:
service: Disk
root: <%= Rails.root.join("storage") %>
# Use rails credentials:edit to set the AWS secrets (as aws:access_key_id|secret_access_key)
amazon:
service: S3
access_key_id: <%= Rails.application.credentials[:amazon][:key] %>
secret_access_key: <%= Rails.application.credentials[:amazon][:secret] %>
region: us-east-1
bucket: your_own_bucket
I've also tried with
<%= Rails.application.credentials[Rails.env.to_sym][:amazon][:key] %>
If I goto console and try Rails.application.credentials[:amazon][:key] or Rails.application.credentials.amazon[:key] or any other variants, it's always nil.
Rails.application.credentials
gives me:
=> #<ActiveSupport::EncryptedConfiguration:0x00007faf1284aa80
#key_path=#<Pathname:/Users/demiansims/Development/Beastly/beastly-
backend/config/master.key>, #content_path=#
<Pathname:/Users/demiansims/Development/Beastly/beastly-
backend/config/credentials.yml.enc>, #env_key="RAILS_MASTER_KEY",
#raise_if_missing_key=false, #encryptor=#
<ActiveSupport::MessageEncryptor:0x00007faf1287bb80
#secret=">^\x04\x9Bh\xFEb\x00\x8B\xB3O5\xDC\x8E\xA6b",
#sign_secret=nil, #cipher="aes-128-gcm", #aead_mode=true,
#verifier=ActiveSupport::MessageEncryptor::NullVerifier,
#serializer=Marshal, #options={:cipher=>"aes-128-gcm"}, #rotations=[]>,
#config={}
You credential file might not be saving your changes. I had this same problem. I was using sublime and EDITOR="subl --wait" bin/rails credentials:edit would bring up the editor but it would not recognize when I had saved the file. I never solved this, so I switched to vi. EDITOR="vi" bin/rails credentials:edit and problem solved. Now it all works as expected. If you are not familiar with vi commands like me, these are helpful to know:
i -> "insert" will allow to move around with your arrow keys, delete, and add code
esc -> when you are finished editing hit escape
:wq -> this will save and exit the file. after you hit escape just type in :wq
hope this helps someone.
I think there's a problem in the format of your credentials.yml.enc it should be like:
amazon:
key: <my access key for AWS S3>
secret: <my secret id for AWS S3>
jwt: <my jwt token encode/decode password>
So you can access your key like Rails.application.credentials.amazon[:key]
I want to set SECRET_KEY_BASE which is used in secrets.yml:
production:
secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>
I have tried to add code as follow in .profile:
export SECRET_KEY_BASE=cfbc3b45d65db30b853cdc0557e0be85609cf75974ebb706f46a00abe09eee9454b3d311e48ee4157e1e5d5e3de5b8d2a329dff13871837cbaeae6af2bc2e42f
it works well, but this is still not that better, I know that dotenv can add this in a .env file in root path of app, so I add
gem 'dotenv-rails'
gem 'dotenv-deployment'
then I add code as follow into .env.production in root path of rails app:
SECRET_KEY_BASE=cfbc3b45d65db30b853cdc0557e0be85609cf75974ebb706f46a00abe09eee9454b3d311e48ee4157e1e5d5e3de5b8d2a329dff13871837cbaeae6af2bc2e42f
But why this doesn't work?
In Rails 4.1, config/secrets.yml is the new default location for secret_key_base of your application. It can, however, be used also for storing other secret variables, making it a good place for environment-specific tokens, API keys etc.
Fill the file with the secrets you want to store, for example:
development:
secret_key_base: your_development_secret
api_key: some_key
production:
secret_key_base: your_production_secret
twitter_consumer_key: production_twitter_key
twitter_consumer_secret: production_twitter_secret
twitter_oauth_token: production_oauth_token
twitter_oauth_token_secret: production_oauth_secret
In your code, you can access these secrets with Rails.application.secrets:
Twitter.configure do |config|
config.consumer_key = Rails.application.secrets.twitter_consumer_key
config.consumer_secret = Rails.application.secrets.twitter_consumer_secret
config.oauth_token = Rails.application.secrets.twitter_oauth_token
config.oauth_token_secret = Rails.application.secrets.twitter_oauth_token_secret
end
The secrets.yml will be checked into git by default, add it to your .gitignore file.
Rails 4 declares in config/secrets.yml constants secret_key_base for "verifying the integrity of signed cookies". Theses are 128 characters (0..f) long.
Paperclip (file management) can use :hash_secret option to encode accessibles file names.
https://github.com/thoughtbot/paperclip/wiki/Hashing
Is there a good idea to use secret_key_base as Paperclip hash ? It seems to be a good solution, because it is complexe enough, it's not in project's commits, and have one per environment.
Declare 2 variables in secrets.yml will looks like :
development:
secret_key_base: 73512
secret_key_asset: 123456
test:
secret_key_base: 3dde2
secret_key_asset: 789456
production:
secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>
secret_key_asset: <%= ENV["SECRET_KEY_ASSET"] %>
... Seems to complicated for nothing for me.
Regards
According to this excerpt from the Paperclip Wiki it would appear that secret_key_base is fine.
# config/initializers/paperclip_defaults.rb
Paperclip::Attachment.default_options.update({
url: "/system/:class/:attachment/:id_partition/:style/:hash.:extension",
hash_secret: Rails.application.secrets.secret_key_base
})
You can use a different secret key for Paperclip, but it's probably unnecessary for most projects.