How to read Rails credentials from anywhere without Rails
Advanced usage of Rails Credentials to read it from anywhere
Why ?
Why would you want to access Rails Credentials without initializing Rails? That’s a good question. The answer is not as straightforward. Even within a Rails application, there are situations where you need to run code without initializing Rails. One common scenario I often come across is when using Capistrano, a deployment automation tool, to perform deployments. After a successful deployment, I may need to send an email to stakeholders of the application, informing them about the deployment status. To achieve this, I need to access SMTP credentials, but I don’t want to hardcode them into a file. Instead, I want to leverage Rails’ native capability of storing credentials and secrets and use that to load the SMTP credentials into the relevant Capistrano files where Rails is not initialized. This is just one example, and you may come across other interesting cases where these solutions can be useful.
How ?
So since Rails Credentials store the data in YAML format we would need the core Ruby ‘yaml’ library for parsing purposes and for actual decryption of the credentials file, Rails ‘active_support’ library which you could install independently as well.
- With a non-environmental credential file
- With environmental credential files
From the ActiveSupport::EncryptedFile module, we are able to decrypt the credentials file using the related master.key file. You can read further about this ‘active_support’ module here. It has a few parameters we should provide. Path of the credentials file in content_path, the path of the key file in key_path, and after that which environment should the credentials are for, in env_key (This could include “production”, “test” or any environment you might have depending on your setup) and lastly, whether you want to raise an error if the key file not found as a Boolean in raise_if_missing_key parameter.
So what the above snippet of the codes does is reading the credentials and parse the read content to YAML format. This will give a nested String key Hash of credentials, which we could change the keys to Symbols for our ease of use. This can be done by deeply transforming the keys into Symbols.
Access Individual Keys
After doing the above procedure now we have a credentials variable with a Hash we can use. But how are we going to access the credential keys are different from the normal Rails credentials access pattern as shown below.
As you can see Ruby’s dig method is used to retrieve the nested Hash key since it supports safe navigation and if any intermediate step is nil it will just return nil instead of throwing an error. I would recommend you use that instead of the normal Hash traverse.
FYI — How I tackled this in Capistrano
Conclusion
Basically above method provides a way to decrypt Rails credentials without loading heavy Rails module and having the security provided by the credentials functionality. This removes the need to hard code keys and secrets which should not be exposed in the code. All of the related Github gists can be found here.
I will be bringing these kinds of exciting articles where I explore nuggets throughout the Ruby ecosystem. Follow me now for a thrilling ride through all things Ruby 💎🤗
LinkedIn: https://www.linkedin.com/in/randika-banura/
Github: https://github.com/randikabanura
How to read Rails credentials from anywhere without loading Rails was originally published in Enlear Academy on Medium, where people are continuing the conversation by highlighting and responding to this story.
