14

As you know, you MUST provide the correct database name, username, and password for the database in the config/database.yml file, or your Rails app will refuse to work.

In the default setup, your password is in plain text in the config/database.yml file. If your app is on a free GitHub repository, then your password is public information. This is not a viable option for a serious app. (It's OK for a tutorial exercise, provided that you don't use this password for anything else.)

I have a solution that has worked for me so far, but I'm wondering if there is something better. You can see my deployed example at https://github.com/jhsu802701/bsf .

What I do is set up the config/database.yml file to provide the username and password for the development environment programatically. For the development environment, I add commands to the config/database.yml script to acquire the development environment username (which is my regular username for the Debian Linux setup I use) and a blank password. (I give my username Postgres superuser privileges.) For the production environment, I add a command in the deployment script that acquires the username and password from files elsewhere on my account and writes this information to the config/database.yml file.

Is there a better solution?

Is there a Ruby gem that covers this? If not, I'm thinking of creating one.

jhsu802701
  • 573
  • 1
  • 7
  • 23

5 Answers5

23

The way that heroku does it, and a vast majority of other rails shops are with ENV variables

Export two variables to your environment, 

export POSTGRES_USERNAME='username'
export POSTGRES_PASSWORD='password'

then in your database.yml file you can do

username: <%= ENV['POSTGRES_USERNAME'] %>
password: <%= ENV['POSTGRES_PASSWORD'] %>
Adam Carlile
  • 416
  • 3
  • 14
5

This is how I make it work:

On terminal/cmd:

heroku config:set YOUR_DATABASE_PASSWORD=passywordy

Then, in /config/database.yml file;

production:
<<: *default
password: <%= ENV['YOUR_DATABASE_PASSWORD'] %>

(this password area is automatically generated when I used rails new my_app -d postgresql)

cibinlik
  • 55
  • 1
  • 4
1

On other than heroku export you variables to system environment (linux) by typing in bash export KEY=value Then you can call it in Rails by ENV['KEY']

e.g.
in bash:
export CMS_DATABASE_PASSWORD=MySecurePassword
in secrets.yml:
password: <%= ENV['CMS_DATABASE_PASSWORD'] %>

Raan
  • 11
  • 2
1

Setting the environment variables as described in existing posts above, will only persist the environment variables for the duration of the current shell session.

To set the environment variables permanently, the export instruction(s) should be added to your shell config file. (Then run source ~/.bashrc to apply the changes to your current session)

TL;DR: If you're using BASH, add the export instruction(s) to ~/.bashrc.

While the above should suffice (if using BASH on most popular Linux distros), confidently identifying which config file to update for your shell can be quite tricky. The following post explains the reasons why and provides guidance on which config file to edit.

https://unix.stackexchange.com/questions/117467/how-to-permanently-set-environmental-variables

Skilly
  • 171
  • 1
  • 9
0

As of Rails 5+ there's built-in support for providing encrypted credentials that you can commit, then reference in your application via Rails.application.credentials.somesecret.

You can edit the credentials using rails credentials:edit, which will look for the decryption key in a file called master.key. Rails will add this value to the project .gitignore, but I recommend setting config.credentials.key_path to some place outside of the scope of git.

See rails credentials:help for more info, and this Rails Guide

Another approach (probably better) is to use your cloud provider's secrets, e.g. AWS System Manager parameter store

Tom Harrison
  • 13,533
  • 3
  • 49
  • 77