Search code examples
rubyenvironment-variablesgod

GOD and environment variables : How to manage credentials?


I want to monitor a ruby script with god and pass AWS credentials as environment variables, what's the recommended way to do this ?

My current approach :

I would like to commit the god config file with source code to github, therefore i can't set the credentials as plain text in the god config file. I am trying to set them as system environment variable instead :

I set user and group in the god conf file, so that the process start as this specific user, i have the access_key and api_secret set as environment variable for this user.

When i log as this user and echo the environment variables they are set correctly. God is started by upstart.

When god starts the script it cannot find the credentials in the environment variables, i don't understand why ?

Here are my conf files :

script.god.rb

rails_env   = ENV['RAILS_ENV']  || "production"
rails_root  = ENV['RAILS_ROOT'] || "/srv/www/photo-api/current"

God.watch do |w|
  w.name          = "zipper-done"
  w.group         = 'zipper'
  w.interval      = 30.seconds
  w.dir           = rails_root
  w.env           = { 'RAILS_ENV' => rails_env }
  w.start         = "bundle exec rake zip:listen"
  w.uid           = 'deploy'
  w.gid           = 'deploy'
  w.start_grace   = 10.seconds
  w.log           = File.join(rails_root, 'log', 'zipper-done.log')

/home/deploy/.bashrc

 export AWS_ACCESS_KEY_ID=AKI...KQ
 export AWS_SECRET_ACCESS_KEY=Cg...pVb

/home/deploy/.bash_profile

 source ~/.bashrc

When i puts ENV['AWS_ACCESS_KEY_ID'] and ENV['AWS_SECRET_ACCESS_KEY'] , they are not set. What am i doing wrong ?


Solution

  • Since you are storing these in a file anyway (e.g. instead of setting them using Puppet, Chef, heroku config etc) you can use dotenv. Add it to your Gemfile:

    gem 'dotenv-rails'
    

    Add your variables to the .env file (or .env.production file for production-specific variables) at the root of your project:

    AWS_ACCESS_KEY_ID=...
    AWS_SECRET_ACCESS_KEY=...
    

    They will be available as ENV['AWS_ACCESS_KEY_ID'] and ENV['AWS_SECRET_ACCESS_KEY'].

    Don't forget to include .env files in your .gitignore. For documentation purposes you can copy your .env into an unignored .env.example with empty values.

    See the gem page for Rails and Capistrano specific instructions.