如何在Rails 4.1中对API_KEYS使用secrets.yml？ [英] How to use secrets.yml for API_KEYS in Rails 4.1?

问题描述

在我最近的一个项目中，我从 .gitignoring 开始，这些文件包含机密和环境变量。因此，除了包含诸如Stripe，Twitter API或Facebook Graph或第三方api_keys之类的第三方机密的文件（包括 ./ config / initializers / secret_token.rb 文件。

In one of my recent projects I started out by .gitignoring the files containing secrets and environment variables. So the entire project is committed to the repo except the files that contain third party secrets such as that of Stripe, Twitter API or Facebook Graph or internal api_keys, ala the ./config/initializers/secret_token.rb file.

现在我正在该项目即将上线（激动！），我需要使用Capistrano将所有环境变量移植到生产服务器上，即上限生产部署。

Now I am at a point where the project is about to go live (excited!) and I need to port all the environment variables on to the production server using Capistrano i.e. cap production deploy.

[Edit 4：Yr，2018]
如果使用initializer / secret_token .rb很明显，Rails 4.1具有处理 secrets.yml文件的新方法将：secret_key_base值拉入生产服务器。在这里，我建议使用 capistrano-secrets-yml 宝石

In case of initializers/secret_token.rb it is clear that Rails 4.1 has a new way of handling secrets.yml file that pulls in the :secret_key_base value to the production server. Here, I recommend using the capistrano-secrets-yml gem which works right out of the box and is dead simple to use.

剩下的是将其他机密（如API_KEYS，APP_ID等）带到生产服务器的方式，而无需检查其中的任何内容。回购。如何做到这一点，最推荐/最安全的方法或最佳做法是什么？

What is left is the way to carry other secrets like API_KEYS, APP_IDs etc. to the production server without checking any of those into the repo. How to do this, what is the most recommended/securest way or the best practices?

注意：随着问题的进展，我将对其进行编辑/我将更加清楚。

NOTE: I'll be editing the question as it progresses/I get more clarity.

EDIT1：服务器是DigitalOcean上的Ubuntu / Linux VPS [请访问Denise，请参见下文]。

Server is a Ubuntu/Linux VPS on DigitalOcean [Answer to Denise, below].

EDIT2：能否通过secrets.yml将env_variables / secret传递到服务器？会话的Secret_token毕竟不是唯一的秘密！ [在Edit3上回答]

Can the env_variables/secrets be carried over to the server via secrets.yml? Secret_token for sessions is not the only secret after all! [Answered on Edit3]

EDIT3：是的！可以根据博客通过secrets.yml发送API_keys。将来会分享我的发现。 ：-）

Yes! It's possible to send in the API_keys via secrets.yml according to this blog. Will share my findings in sometime. :-)

推荐答案

第一个规则：请勿检入 secrets.yml 进入仓库。

First rule: DO NOT CHECK-IN secrets.yml into the repo.

好的，这是 secret.yml 的外观：

development:
  secret_key_base: 6a1ada9d8e377c8fad5e530d6e0a1daa3d17e43ee... 
  # Paste output of $ rake secret here for your dev machine.

test:
  secret_key_base: _your_secret_ as above

production:
  secret_key_base: <%= secure_token %>


  STRIPE_PUBLISHABLE_KEY: 'Put your stripe keys for production'
  STRIPE_SECRET_KEY: 'Put actual keys for production here'
  FB_APP_SECRET: 'same as above'
  FB_CALLBACK_URL: 'FB url here'
  FB_CALLBACK_UPDATE_URL: 'FB url here'
  GOOGLE_KEY: 'Put your keys for production'
  GOOGLE_SECRET: 'same as above'
  TWITTER_KEY: 'same as above'
  TWITTER_SECRET: 'same as above'
  TWITTER_USERNAME: 'same as above'
  LINKEDIN_KEY: 'same as above'
  LINKEDIN_SECRET: 'same as above'

请注意<$ c $中的 secure_token $ c>生产：块。在生产服务器上，我正在使用初始化器来动态地动态生成secret_tokens 。

Note the secure_token up there in the production: block. On production server I'm using an initializer to dynamically generate secret_tokens on-the-fly.

边注：注意.yml文件中的空格和制表符。必须正确设置格式和间隔（例如，：符号后有空格）。

sidenote: be careful about spaces and tabs inside the .yml file. It must be properly formatted and spaced (such as having a space after the ':' symbol).

要在生产环境中进行设置然后，您可以直接从本地文件中提取文件，或使用 capistrano-secrets-yml

To set it up on production you could then scp the file directly from your local or use the capistrano-secrets-yml gem.

这不起作用。请按照下面的@OddityOverseer的答案查看更新的方法。

This will not work. See an updated method as per @OddityOverseer's answer below.

访问应用程序中的环境变量 environments / production.rb 使用：

To access the environment variables in your app environments/production.rb use:

FB_APP_SECRET            = ENV['FB_APP_SECRET']
FB_CALLBACK_URL          = ENV['FB_CALLBACK_URL']
FB_CALLBACK_UPDATE_URL   = ENV['FB_CALLBACK_UPDATE_URL']
GOOGLE_KEY               = ENV['GOOGLE_KEY']
GOOGLE_SECRET            = ENV['GOOGLE_SECRET']
TWITTER_KEY              = ENV['TWITTER_KEY']
TWITTER_SECRET           = ENV['TWITTER_SECRET']
TWITTER_USERNAME         = ENV['TWITTER_USERNAME']
LINKEDIN_KEY             = ENV['LINKEDIN_KEY']
LINKEDIN_SECRET          = ENV['LINKEDIN_SECRET']

---

---

已更新2016年8月：

UPDATED August-2016:

访问应用程序中的环境变量 environments / production.rb 使用：

To access the environment variables in your app environments/production.rb use:

FB_APP_SECRET            = Rails.application.secrets.FB_APP_SECRET
FB_CALLBACK_URL          = Rails.application.secrets.FB_CALLBACK_URL
FB_CALLBACK_UPDATE_URL   = Rails.application.secrets.FB_CALLBACK_UPDATE_URL
GOOGLE_KEY               = Rails.application.secrets.GOOGLE_KEY
GOOGLE_SECRET            = Rails.application.secrets.GOOGLE_SECRET
TWITTER_KEY              = Rails.application.secrets.TWITTER_KEY
TWITTER_SECRET           = Rails.application.secrets.TWITTER_SECRET
TWITTER_USERNAME         = Rails.application.secrets.TWITTER_USERNAME
LINKEDIN_KEY             = Rails.application.secrets.LINKEDIN_KEY
LINKEDIN_SECRET          = Rails.application.secrets.LINKEDIN_SECRET

就是这样。

这篇关于如何在Rails 4.1中对API_KEYS使用secrets.yml？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！