I'm using RoR hosted by Heroku and I'd like to store files on s3 using paperclip. My source code is hosted on github and is world readable. What is the best practice to keep the keys a secret from the rest of the world?
Paperclip suggests that the access keys are stored in a configuration file (or in code), so for example I have:
file: config/s3.yml
access_key_id: my_access_key_id
secret_access_key: my_very_secret_key
bucket: bucket_name
Heroku works by committing code to local git and then pushing it to Heroku.
Since I'm also using github, I push the same code to github as well. That means that I push the secret keys there too.
I'm currently using a world-readable github account, so if I payed github I could make half the problem go away but still I'm not happy with secret keys lying in a configuration file in code. I don't know if there's a better practice for this though.
What is the best practice for keeping the keys secret and still using the above mentioned list of libraries and services?
BTW, I've only started with ror and heroku last week so I may be considered a newbe, please be considerate ;) Thanks!
You need use the ENV variable from your heroku app.
If you do a heroku config you can have access to all of your ENV variable. You just add some and use it directly in your application.
With this trick you don't need update your code to change your configuration and the configuration if not define in your code base.
In your s3.yml you just need do :
access_key_id: <%= ENV['S3_ACCESS_KEY'] %>
secret_access_key: <%= ENV['S3_SECRET_KEY'] %>
bucket: <%= ENV['S3_BUCKET_NAME'] %>
And add this ENV VARIABLE in your heroku app
heroku config:add S3_ACCESS_KEY='your_key'
heroku config:add S3_SECRET_KEY='your_secret'
heroku config:add S3_BUCKET_NAME='your_nucket_name'
Not long ago Amazon released official AWS SDK for Ruby. It works pretty well with S3, supports American, European and Japanese S3 instances from the box and well maintained.
I have created a storage module for Paperclip called paperclip-aws to works with AWS SDK.
Feel free to use it. I hope that it will help.
err.. there is no other way if you are using heroku. You've got to put everything in a repo and push it to them.
Reg github, if you are going to use public repos - "private" them if you need those keys to make your app work. You got to trust your team members even if you give access to that private github repo to a selected few people.
I am not aware of any other ideas.
来源:https://stackoverflow.com/questions/4956583/ruby-on-rails-paperclip-heroku-github-and-aws-securing-keys