Rails on Docker: Using Rails Encrypted Credentials with Docker

Rails 5.1 introduced the encrypted secrets.yml.enc file, with Rails 5.2 tidying things up by consolidating secrets and credentials into the credentials.yml.enc file.

Along with the changes came the secrets:edit task, allowing you to edit the credentials YAML file whilst automatically decrypting and encrypting the file using a master key.

The key is provided either through config/master.key or supplying an RAILS_MASTER_KEY environment variable. (More on this below…)

Editing Credentials in your Docker Container

When using Docker to develop and run your apps, though, getting secrets:edit to work may requires a few tweaks to your Docker image.

Depending on how the image is configured, you'll need to ensure that an editor is installed in your container.

For one-off editing, we can do this using a simple command line:

$ cd /path/to/your/app
$ docker run --rm -it --mount type=bind,src=${PWD},target=/app my_app /bin/sh -c 'apt update && apt install -y vim && EDITOR=vim bin/rails credentials:edit'

Alternatively, you can ensure that vim (or your editor of choice) is installed into the Docker image:

FROM ruby:2.5

RUN apt update -qq && apt install -y vim # nano ...< your choice of editor

# ... continue your Dockerfile
$ docker build -t my_app .
$ docker run --rm -it --mount type=bind,src=${PWD},target=/app -e EDITOR=vim my_app bin/rails credentials:edit # Assume your app's code is ADDed to /app in the Dockerfile.

Using this technique, you can use Rails' built-in credentials editor without the need to install rails itself (and other dependencies) on your workstation machine.

Using Docker Compose

If you're using Docker Compose to manage your containers, credentials can be edited in the same way using the docker-compose run command.

Assuming a declaration similar to the following in your docker-compose.yml:

# ...
services:
  web:
    build: .
    volumes:
      - .:/app
    # ...
$ docker-compose run --rm -e EDITOR=vim web bin/rails credentials:edit

Supplying Your Master Key as an Environment Variable

By default, Rails creates a config/master.key file which is used to decrypt/encrypt your credentials file. As this file is by default excluded from your code repository, you may need to supply the key as an environment variable to your containers:

$ docker run --rm -it --mount type=bind,src=${PWD},target=/app -e EDITOR=vi -e RAILS_MASTER_KEY=your-master-key my_app bin/rails credentials:edit

Note that this is only necessary if you do not have the config/master.key file in your workspace