Overview
If your application requires the use of a database, EYK can securely manage the credentials. This article walks through how to accomplish this using Rails 5.2+ and a MySQL database. Procedures for other databases will be similar.
You will use Rails mechanisms to manage credentials. EYK securely facilitates the build and packaging that includes the master key for use with those credentials.
Environment
This guide assumes you have the following:
-
An EYK cluster
- See the Getting Started Guide step #2 for details on creating an EYK cluster.
-
An application based on Ruby-on-Rails 5.2+
- Rails 5.2 introduced encrypted credentials which will be used in this article.
-
A MySQL database
- If you would like to provision an RDS database using EYK, see the article on Adding an AWS RDS Database.
Solution
-
-
Prepare your Rails app for encrypted credentials and database connectivity. If you created a new Rails 5.2 app, most of these steps will already be done for you. If you have upgraded Rails, be sure to go through this checklist.
-
- Open a command line and navigate to the root directory of your application project
cd <project-root-dir>
- Rails 5.2 uses a master key to decrypt all credentials. It is provided to the framework either in a config/master.key file, or via ENV["RAILS_MASTER_KEY"]. You do not want to check in the master.key file, so make sure your .gitignore file includes this entry. Even if this file does not exist right now, it will be created in step #2.
-
# Ignore encrypted secrets key file.
config/master.key - Add the mysql2 gem to your Gemfile. This is the database driver used by Ruby. For example:
gem 'mysql2'
- If you added this entry to your Gemfile, then run the following command:
bundle install
- Open a command line and navigate to the root directory of your application project
-
-
Configure your database connection information as encrypted credentials. Set the database username, password, and host using the following Rails command.
EDITOR=vi bin/rails credentials:edit
The content will look something like the example shown below, where avalue will be your environment's values. You can include the database name as well if you want to keep it secure.
# aws:
Use the editor's save command to make the changes. For vi, enter :wq
# access_key_id: 123
# secret_access_key: 345
db_yml_username: avalue
db_yml_password: avalue
db_yml_host: avalue
# Used as the base secret for all MessageVerifiers in Rails, including the one protecting cookies.
secret_key_base: avalue
You should see the following output and the config/credentials.yml.enc file should be updated. Your credentials are stored in this file, encrypted using the master key.New credentials encrypted and saved.
-
Configure the database connection in the Rails database.yml file. The config/database.yml file contains connection information for all environments (development, test, production). For a MySQL database, the example below shows how to configure for a database named 'quizdatabase'. You can either provide hardcoded values like this (not recommended for credentials), or you can refer to the encrypted credentials we setup in the previous step (recommended). Note that usage of Rails.application.credentials to reference those values. Rails uses the master key to decrypt when the server starts up.
development:
See the Rails Configuration Guide for more details on this and how to configure other databases.
adapter: mysql2
encoding: utf8
pool: 5
username: <%= Rails.application.credentials.db_yml_username %>
password: <%= Rails.application.credentials.db_yml_password %>
host: <%= Rails.application.credentials.db_yml_host %>
database: quizdatabase
-
Set the application configuration variables to use the RAILS_MASTER_KEY in the build and deployment of your application. During local development, Rails can use the config/master.key file to decrypt credentials. However, when you git push your code to EYK, the build and deployment environments also need the key. Because you don't want to commit the key file to your repository, application config variables are used for this. We also need to instruct EYK to pass the environment variables along to the build server. The DEIS_DOCKER_BUILD_ARGS_ENABLED environment variable is used to do this. Use the following commands to set the app config values. Alternatively, you can use the web console by navigating to your application's config tab.
eyk config:set RAILS_MASTER_KEY=avalue
Also, set these variables in your local environment where you will run the git push. These commands are operating system shell commands and the form will vary based on your platform.
eyk config:set DEIS_DOCKER_BUILD_ARGS_ENABLED=1export DEIS_DOCKER_BUILD_ARGS_ENABLED=1
export RAILS_MASTER_KEY=avalue -
Declare the RAILS_MASTER_KEY argument in your Dockerfile. Make sure the following line is in your Dockerfile before any Rails commands are run.
ARG RAILS_MASTER_KEY
-
Push your code to EYK and test. Make sure all your changes are committed to your local repository and then run the command:
git push eyk <branch-name>
-
Prepare your Rails app for encrypted credentials and database connectivity. If you created a new Rails 5.2 app, most of these steps will already be done for you. If you have upgraded Rails, be sure to go through this checklist.
Related Articles
- Getting Started with Engine Yard Kontainers
- Configure Environment Variables with the Kontainers Web Console
Comments
Article is closed for comments.