Rails on Docker: Using Rails Encrypted Credentials with Docker
Rails 5.1 introduced the encrypted secrets.yml.enc
file, with Rails 5.2
tidying things up by consolidating secrets and credentials into the
credentials.yml.enc
file.
Along with the changes came the secrets:edit
task, allowing you to edit
the credentials YAML file whilst automatically decrypting and encrypting the
file using a master key.
The key is provided either through config/master.key
or supplying an
RAILS_MASTER_KEY
environment variable. (More on this below…)
Editing Credentials in your Docker Container
When using Docker to develop and run your apps, though, getting secrets:edit
to work may requires a few tweaks to your Docker image.
Depending on how the image is configured, you'll need to ensure that an editor is installed in your container.
For one-off editing, we can do this using a simple command line:
$ cd /path/to/your/app
$ docker run --rm -it --mount type=bind,src=${PWD},target=/app my_app /bin/sh -c 'apt update && apt install -y vim && EDITOR=vim bin/rails credentials:edit'
Alternatively, you can ensure that vim (or your editor of choice) is installed into the Docker image:
FROM ruby:2.5
RUN apt update -qq && apt install -y vim # nano ...< your choice of editor
# ... continue your Dockerfile
$ docker build -t my_app .
$ docker run --rm -it --mount type=bind,src=${PWD},target=/app -e EDITOR=vim my_app bin/rails credentials:edit # Assume your app's code is ADDed to /app in the Dockerfile.
Using this technique, you can use Rails' built-in credentials editor without the need to install rails itself (and other dependencies) on your workstation machine.
Using Docker Compose
If you're using Docker Compose to manage your containers, credentials can be edited
in the same way using the docker-compose run
command.
Assuming a declaration similar to the following in your docker-compose.yml
:
# ...
services:
web:
build: .
volumes:
- .:/app
# ...
$ docker-compose run --rm -e EDITOR=vim web bin/rails credentials:edit
Supplying Your Master Key as an Environment Variable
By default, Rails creates a config/master.key
file which is used to decrypt/encrypt
your credentials file. As this file is by default excluded from your code
repository, you may need to supply the key as an environment variable to your
containers:
$ docker run --rm -it --mount type=bind,src=${PWD},target=/app -e EDITOR=vi -e RAILS_MASTER_KEY=your-master-key my_app bin/rails credentials:edit
Note that this is only necessary if you do not have the config/master.key
file in your workspace
👋 Thanks for reading - I hope you enjoyed this post. If you find it helpful and want to support further writing and tutorials like this one, please consider supporting my work with a coffee!
Support ☕️