Manage and deploy secrets (access keys, API tokens etc) in encrypted files which can safely be committed to the code repository. To decrypt and and use them, only one environment variable containing the corresponding key is required.
While similar in purpose to ActiveSupport::EncryptedConfiguration, this lightweight implementation doesn't introduce any dependencies.
- Homepage
- API
- Author: Sven Schwyn - Bitcetera
Thank you for supporting free and open-source software by sponsoring on GitHub or on Donorbox. Any gesture is appreciated, from a single Euro for a ☕️ cup of coffee to 🍹 early retirement.
This gem is cryptographically signed in order to assure it hasn't been tampered with. Unless already done, please add the author's public key as a trusted certificate now:
gem cert --add <(curl -Ls https://raw.github.com/svoop/dry-credentials/main/certs/svoop.pem)
Add the following to the Gemfile or gems.rb of your Bundler powered Ruby project:
gem 'dry-credentials'
And then install the bundle:
bundle install --trust-policy MediumSecurity
See Integrations below for how to integrate Dry::Credentials into frameworks.
Extend any class with Dry::Credentials
to use the default settings:
class App
extend Dry::Credentials
end
The credentials
macro allows you to tweak the settings:
class App
extend Dry::Credentials
credentials do
env "sandbox"
dir "/path/to/credentials"
end
end
dir
must exist and have the proper permissions set.
Now initialize the credentials for this env
:
App.credentials.edit!
It creates /path/to/credentials/sandbox.yml.enc
(where the encrypted credentials are stored) and opens this file using your favourite editor as per the EDITOR
environment variable.
For the sake of this example, let's assume you paste the following credentials:
otp:
secret_key: ZcikLNiUQoqOo594oH2eqw04HPclhjkpgvpBik/40oU=
salt: 583506a49c71724a9f085bf2e70362df9d973f08d6575191cab6a177dfb872c6
meta:
realm: main
When you close the editor, the credentials are encrypted and stored. This first time only, the key to encrypt and decrypt is printed to STDOUT:
SANDBOX_CREDENTIALS_KEY=68656973716a4e706e336733377245732b6e77584c6c772b5432446532456f674767664271374a623876383d
To decrypt the credentials and use them in your app, you have to set just this one environment variable containing the key, in this case:
export SANDBOX_CREDENTIALS_KEY=68656973716a4e706e336733377245732b6e77584c6c772b5432446532456f674767664271374a623876383d
Alternatively, you can omit the first part of the variable name. Such a key will be used for any app environment, but a more specific key will always take precedence. This is particularly useful when working with containerized setups:
export CREDENTIALS_KEY=68656973716a4e706e336733377245732b6e77584c6c772b5432446532456f674767664271374a623876383d
With this in place, you can use the decrypted credentials anywhere in your app:
App.credentials.otp.secret_key
# => "ZcikLNiUQoqOo594oH2eqw04HPclhjkpgvpBik/40oU="
App.credentials.otp.meta.realm
# => "main"
Credentials are isolated into environments which most likely will, but don't necessarily have to align with the environments of the app framework you're using.
By default, the current environment is read from APP_ENV
. You shouldn't use RACK_ENV
for this, here's why.
The credentials are lazy loaded when queried for the first time. After that, changes in the encrypted credentials files are not taken into account at runtime for efficiency reasons.
However, you can schedule a reload:
App.credentials.reload!
The reload is not done immediately but the next time credentials are queried.
This gem does not provide any CLI tools to edit the credentials. You should integrate it into your app instead e.g. with a Rake task or an extension to the CLI tool of the app framework you're using.
You can explicitly pass the environment to edit:
App.credentials.edit! "production"
Editing credentials implicitly schedules a reload!
.
In case you have to partition secrets beyond environments, you can set dynamic secrets which are composed on the fly. Here's an example.
You want to be able to connect to a shared database for the test environment, but the database URL differs whether you run the tests locally or on your favourite CI platform. To differ between the two, you set an environment variable CONTEXT
which is either local
or ci
and you defined the secrets accordingly:
database_url:
local: postgres://localhost:5432/example
ci: postgres://testuser:[email protected]:5432/example
To get the actual database URL, you have to:
App.credentials.database_url.send(ENV['CONTEXT'])
This is okay, but it may grow a lot longer and less readable in a real app. Enter dynamic secrets which are composed according to your needs:
App.credentials.define! :current_database_url do |credentials|
credentials.database_url.send(ENV['CONTEXT'])
end
Dynamic secrets are then available like any other secret, however, the block is called every time you query the dynamic secret:
App.credentials.current_database_url # => "postgres://localhost..."
Dry::Credentials::DefineError
.
If you have to, you can access the settings programmatically:
App.credentials[:env] # => "production"
Setting | Default | Description |
---|---|---|
env |
-> { ENV["APP_ENV"] } |
environment such as development |
dir |
"config/credentials" |
directory where encrypted credentials are stored |
cipher |
"aes-256-gcm" |
any of OpenSSL::Cipher.ciphers |
digest |
"sha256" |
sign digest used if the cipher doesn't support AEAD |
serializer |
Marshal |
serializer responding to dump and load |
The bridgetown_credentials gem integrates Dry::Credentials into your Bridgetown site.
To use credentials in a Hanami 2 app, first add this gem to the Gemfile of the app and then create a provider config/providers/credentials.rb
:
# frozen_string_literal: true
Hanami.app.register_provider :credentials do
prepare do
require "dry-credentials"
end
start do
Dry::Credentials::Extension.new.then do |credentials|
credentials[:env] = Hanami.env
credentials[:dir] = Hanami.app.root.join(credentials[:dir])
credentials[:dir].mkpath
credentials.load!
register "credentials", credentials
end
end
end
Next up are Rake tasks lib/tasks/credentials.rake
:
namespace :credentials do
desc "Edit (or create) the encrypted credentials file"
task :edit, [:env] => [:environment] do |_, args|
Hanami.app.prepare(:credentials)
Hanami.app['credentials'].edit! args[:env]
end
end
(As of Hanami 2.1, you have to explicitly load such tasks in the Rakefile yourself.)
You can now create a new credentials file for the development environment:
rake credentials:edit
This prints the credentials key you have to set in .env
:
DEVELOPMENT_CREDENTIALS_KEY=...
The credentials are now available anywhere you inject them:
module MyHanamiApp
class ApiKeyPrinter
include Deps[
"credentials"
]
def call
puts credentials.api_key
end
end
end
You can use the credentials in other providers. Say, you want to pass the ROM database URL (which contains the connection password) using credentials instead of settings. Simply replace target["settings"].database_url
with target["credentials"].database_url
and you're good to go:
Hanami.app.register_provider :persistence, namespace: true do
prepare do
require "rom"
config = ROM::Configuration.new(:sql, target["credentials"].database_url)
register "config", config
register "db", config.gateways[:default].connection
end
(...)
end
Finally, if you have trouble using the credentials in slices, you might have to share this app component in config/app.rb
:
module MyHanamiApp
class App < Hanami::App
config.shared_app_component_keys += ["credentials"]
end
end
ActiveSupport implements encrypted configuration which is used by rails credentials:edit
out of the box. There not much benefit from introducing Dry::Credentials as an additional dependency.
Dry::Credentials is integrated into Rodbot out of the box, see the README for more.
To install the development dependencies and then run the test suite:
bundle install
bundle exec rake # run tests once
bundle exec guard # run tests whenever files are modified
You're welcome to join the discussion forum to ask questions or drop feature ideas, submit issues you may encounter or contribute code by forking this project and submitting pull requests.