I want Heroku to not set SECRET_KEY_BASE so I can use the one from credentials, but despite me deleting it from the UI, verifying it doesn't exist by running heroku config, I still get it set as an environment variable on my dynos. And it's the same in all the dynos:
SECRET_KEY_BASE=d2753b472abb...
I also tried setting it to a blank string by running heroku config:set SECRET_KEY_BASE="" and Heroku insist on setting it up as I can see by running bash and then env within bash.
How can I prevent that from happening?
Unfortunately, the Heroku Ruby buildpack generates and sets SECRET_KEY_BASE via the shell if it doesn't exist in your Heroku config vars.
It currently doesn't seem possible to directly use the secret key set in credentials.yml. You could make credentials.yml and SECRET_KEY_BASE align though.
Source: https://github.com/heroku/heroku-buildpack-ruby/issues/1143
And here is a short extract from that issue:
If you set your own SECRET_KEY_BASE, we do nothing.
If you do not set a SECRET_KEY_BASE we generate and set one for you.
We recommend using our heroku config interface for storing secrets rather than using the encrypted file storage that ships with rails.
If you want to use encrypted file storage locally with rails you could copy our secret key base heroku run echo $SECRET_KEY_BASE or you can set your own
value manually locally and then again via heroku config.
I am coming in late to add some functionality to an already existing app hosted on heroku. The original builder has given me access and I 'heroku git:clone -a app-name' to my local computer.
I've found some conflicting instructions on how to set up a staging environment for this site. I don't want to push to the original site but want a way to try out functionality.
If anyone has had experience with staging and heroku, I'd appreciate any clarification.
You'll need to create a staging.rb file in config/environments. You can copy development.rb or production.rb and adjust whatever values you need.
Heroku will handle configuring the database configuration and such. You can clone an app in Heroku or just create a new one, then set it's RAILS_ENV and RACK_ENV environment variables to staging, and push to it.
Please refer: Heroku - Managing Multiple Environments for an App
You Need to create a second Heroku application that hosts your staging application.
Follow the instructions provided in the link for working with multiple environment in heroku.
I am able to execute something like git push heroku master with no problems but when I execute heroku fork -a heroku staging (where heroku is my existing app and staging is a new app I am trying to create) I get ' ! You do not have access to the app heroku.' and the fork does not initiate.
I am following the instructions at https://devcenter.heroku.com/articles/fork-app
I am trying to just make a staging environment and would like to use fork so I don't have to manually copy over config vars or DB data. Thanks.
EDIT:
Just found "Forking is only supported on production tier database plans. Follow these steps to upgrade from a starter tier (dev or basic) plan to a production plan." at https://devcenter.heroku.com/articles/heroku-postgres-fork. Looks like forking is not permitted on starter tier DB's. Does this statement mean you can't fork an app (heroku fork -a sourceapp targetapp) on a starter tier DB?
This question is answered in another thread- Forking my existing heroku app for multiple environments:
"staging should be the name of the application you are creating, not the name of the git remote. You need to pick a unique name. I typically use mysite-prod and mysite-staging as my application names."
Not sure on your question in your edit, but the first message means you don't have access to the app itself. I'd double check the credentials you're signed into the Heroku Toolbelt with.
https://github.com/ryanatwork/sign-in-with-linkedin
This example rails application that lets a user log in with LinkedIn requires that the "rails server" command in the terminal be prefaced by 'CONSUMER_KEY=[consumer key] CONSUMER_SECRET=[consumer secret]' so that the whole command looks like:
CONSUMER_KEY=[consumer key] CONSUMER_SECRET=[consumer secret] rails server
The linkedin login obviously won't work with a consumer key/secret, but I'm having trouble hardcoding my consumer key/secret into the app so that I can deploy to Heroku successfully, but am not having any luck. I've tried in several different config and controller files without any luck. Help appreciated!
When you deploy to Heroku you need to have these variables set using the heroku config command:
heroku config:add CONSUMER_KEY=[consumer key]
If you use Foreman to start your server (as Heroku does at their end) then you can have these variables loaded from a local file which never gets committed into your source control (you don't want these secret details in your source control)
Don't hardcode to heroku. You can use environment variables in Heroku to set CONSUMER_KEY and CONSUMER_SECRET.
Here are the docs from Heroku:
https://devcenter.heroku.com/articles/config-vars
I have a number of Rails apps hosted on GitHub. They are all currently private, and I often will deploy them from their GitHub repository. I'd like to be able to make some of them open source, just like the ones you can find on http://opensourcerails.com.
My question is: How can I make these repositories public without giving away super secret credentials?
For example, I can look in /config/initializers/cookie_verification_secret.rb and see the cookie secret for nearly every one of them. I don't understand how this is acceptable. Are these users all changing these values in their deploy environments somehow?
Some users even expose their AWS secret and key! Others will instead set their AWS secret to something like:
ENV['aws-secret']
although I'm not sure at what point they're setting that value.
So, what are the best practices for open sourcing your Rails app without compromising your app's security.
I recently went through this with one of my own apps. My solution was to store anything secret in a git-ignored YAML config file, and then to access that file using a simple class in the initializers directory. The config file is stored in the 'shared' folder for the Capistrano deployment and copied to config at each deploy.
Config store: http://github.com/tsigo/jugglf/blob/master/config/initializers/juggernaut.rb
Example usage: https://github.com/tsigo/jugglf/blob/6b91baae72fbe4b1f7efa2759bb472541546f7cf/config/initializers/session_store.rb
You may also want to remove from source control all history of the file that used these secret values. Here's a guide for doing this in Git that I used: http://help.github.com/removing-sensitive-data/
If you're using foreman, put an .env file in the root of your app. (foreman docs)
.env will have
AWS_SECRET=xxx
AWS_ACCESS=yyy
Then when you need to use the keys, insert:
ENV['AWS_SECRET']
ENV['AWS_ACCESS']
Though it's important that you don't commit this .env to your version control. So if you're using git, add the .env to your .gitignore.
Bonus round! - Heroku
If deploying to Heroku, these environment variables need to be configured in the Heroku environment, too. There are two options:
Manually add the keys through the heroku config:add command
Use the heroku-config gem to synchronize your local environment variables, both ways.
Not storing any secret value at all. At any point in the history of a Git repo.
Those values should be stored elsewhere, leaving only template config files versioned, along with a script able:
to read the right values from the external repo
and build the final config file complete (with the secret values in it)
By keeping the tow set of data separate (sources on one side, secret values on the other), you can then open source the sources repo without comprising any secrets.
I actually took a hint from your question, using ENV.
I had three different secret values that I didn't want made available. They're the app's secret token of course, and Twitter's consumer key and secret. In my secret token initializer:
KinTwit::Application.config.secret_token = ENV['SECRET_TOKEN']
Twitter.consumer_key = ENV['CONSUMER_KEY']
Twitter.consumer_secret = ENV['CONSUMER_SECRET']
I'm hosting my project on Heroku, so I added these as configuration variables to Heroku.
[03:07:48] [william#enterprise ~/dev/rwc/kintwit]$ heroku config:add CONSUMER_KEY=ub3rs3cr3tk3y
Adding config vars and restarting app... done, v7
CONSUMER_KEY => ub3rs3cr3tk3y
[03:08:40] [william#enterprise ~/dev/rwc/kintwit]$ heroku config:add CONSUMER_SECRET=ub3rs3cr3tk3y
Adding config vars and restarting app... done, v8
CONSUMER_SECRET => ub3rs3cr3tk3y
[03:08:57] [william#enterprise ~/dev/rwc/kintwit]$ heroku config:add SECRET_TOKEN=ub3rs3cr3tk3y
Adding config vars and restarting app... done, v9
SECRET_TOKEN => ub3rs3cr3tk3y
Now, the values are ready on my next push. But, what if you aren't using Heroku? I'm obviously not an expert on every single rails deployment (jeesh, not even a Heroku pro), but an example of this would be doing a db:migrate for testing.
$ RAILS_ENV=test rake db:migrate
The KEY=value pair before the command sets the environment variable, so running this command, echo ENV['RAILS_ENV'] would print test. So however this is set up in your environment is how you would do it. But, the environment variables aren't in your code, so that's the trick.
[EDIT - The following method has the annoyance of having to switch to the Production branch to run "rails server" in order to include necessary cookies. Thus, making edits while the server is difficult... and I'm still looking for a good solution]
After further investigation, I think the solution I was looking for was to exclude anything that stored a secret value from my Git repo's master branch (just as #VonC said). But instead of then reading from those files in a separate repo, I simply create a new "production" branch and add them to that.
This way they're excluded from Master and I can push that to Github or some other public repo just fine. When I'm ready to deploy, I can checkout the Production branch and merge Master into it and deploy Production.
I need to be able to do this because Heroku and other hosts require a single git repo to be pushed to their servers.
More information here:
http://groups.google.com/group/heroku/browse_thread/thread/d7b1aecb42696568/26d5249204c70574