29

In other rails projects, I'd have a local database.yml and in source code repository only commit the database.sample file. When deploying, a capistrano script that would symlink a shared version of database.yml to all the releases.

When deploying to heroku, git is used and they seem to override database.yml altogether and do something internal.

That's all fine and good for database.yml, but what if I have s3 configurations in config/s3.yml. And I'm putting my project on github so I don't want to commit the s3.yml where everyone can see my credentials. It'd rather commit a sample s3.sample which people will override with their own settings, and keep a local s3.yml file uncommitted in my working directory.

what is the best way to handle this?

Homan
  • 25,618
  • 22
  • 70
  • 107
  • Not an answer to this question, but some may find this alternative useful. One work-around is to upload to bitbucket, where repos are private, and include the secret keys directly in the yml file. No need for other moving parts/gems and any potential issues there also. A longer term solution should be to configure environment variables and hide secret keys from the secrets.yml file. But if someone was in a pinch for time like I was, this is a good temporary solution. – ahnbizcad Jul 30 '14 at 00:19
  • Create a new local branch where you modify .gitignore to allow secret to be push to heroku. Don't push that branch to your Github repo – tu4n Nov 03 '16 at 20:57
  • Checkout my answer for more details – tu4n Nov 03 '16 at 21:03
  • 1
    Do NOT push your `secrets.yml` to Heroku EVER. See http://stackoverflow.com/a/26541742/6594668 – prograils Dec 09 '16 at 12:49

7 Answers7

17

Heroku have some guidance on this -

http://devcenter.heroku.com/articles/config-vars

ipr101
  • 24,096
  • 8
  • 59
  • 61
13

An alternative solution is to create a new local-branch where you modify .gitignore so secret-file can be pushed to heroku. DON'T push this branch to your Github repo.

To push non-master branch to heroku, use:

git push heroku secret-branch:master

More info can be found on:
https://devcenter.heroku.com/articles/multiple-environments#advanced-linking-local-branches-to-remote-apps

Use heroku run bash and then ls to check whether your secret-file have been pushed on to heroku or not

tu4n
  • 4,200
  • 6
  • 36
  • 49
7

If using Rails 4.1 beta, try the heroku_secrets gem, from https://github.com/alexpeattie/heroku_secrets:

gem 'heroku_secrets', github: 'alexpeattie/heroku_secrets'

This lets you store secret keys in Rails 4.1's config/secrets.yml (which is not checked in to source control) and then just run

rake heroku:secrets RAILS_ENV=production

to make its contents available to heroku (it parses your secrets.yml file and pushes everything in it to heroku as environment variables, per the heroku best practice docs).

Simon Woolf
  • 714
  • 6
  • 9
  • "which is not checked in to source control" Does this means you don't have to explicitly gitignore it? when you use the passive voice like that, it leaves questions as to what the user should do. does the heroku_secrets gem handle not making it public? I've read you should not gitignore the secrets.yml file when using heroku_secrets gem. These are things to address that aren't addressed when you use phrasing like that. – ahnbizcad Jul 29 '14 at 00:28
7

Store the s3 credentials in environment variables.

$ cd myapp
$ heroku config:add S3_KEY=8N029N81 S3_SECRET=9s83109d3+583493190
Adding config vars:
  S3_KEY    => 8N029N81
  S3_SECRET => 9s83109d3+583493190
Restarting app...done.

In your app:

AWS::S3::Base.establish_connection!(
  :access_key_id     => ENV['S3_KEY'],
  :secret_access_key => ENV['S3_SECRET']
)

See the Heroku Config Vars documentation which explain development setup etc.

Douglas F Shearer
  • 25,952
  • 2
  • 48
  • 48
  • 1
    "In your app:" where in my app???? What if you're not using amazonS3? does heroku use amazonS3, is that this tells you to use it? Questions like these are missing in the guides. I really don't understand how people just understand these guides. They don't help me. The guide talks about a procfile. I have no procfile. -_- – ahnbizcad Jul 29 '14 at 00:32
  • Saved my life! But I thought placing secret keys in application.yml and masking with gems like Figaro will be enough to let Heroku access them? – Chidozie Nnachor Jul 06 '18 at 10:45
2

You can also check out the Figaro gem.

Blachshma
  • 17,097
  • 4
  • 58
  • 72
Alan
  • 21
  • 2
  • 2
    If you are trying to do this for database settings, as per gem document, Figaro uses Rails' standard hooks to initialize. Unfortunately, this hook apparently occurs after database.yml is read. Because of this issue, environment variables created in application.yml don't work inside database.yml. – Swapnil Chincholkar Dec 20 '13 at 06:25
2

I solved this by building the credentials from env variables during the build time, and write it to where I need it to be before the slug is created.

Some usecase specific info that you can probably translate to your situation:

I'm deploying a Node project, and in the package.json in the postinstall script I call "bash create-secret.sh". Since postinstall is performed before the slug is created, the file will be added to the slug.

I had to use a bash script because I had some trouble printing strings that contained newlines that had to be printed correctly, and I wasn't able to get it done with Node. Probably just me not being skilled enough, but maybe you run into a similar problem.

Jasper Kennis
  • 3,225
  • 6
  • 41
  • 74
0

Looking into this with Heroku + Build & Deploy-time Secrets. It seems like it's not something Heroku supports. This means for a rails app, there is no way other than committing BUNDLE_GITHUB__COM for example to get from private repo.

I'll try to see if there is a way to have CI bundle private deps before beaming at heroku

MrMesees
  • 1,488
  • 19
  • 27