Ruby: Handling secrets (environment variables)

This documentation is part of the Advanced usages guide. You can view the complete guide here: Going further with your Ruby deployments.

👋 Welcome to the Stackhero documentation!

Stackhero offers a ready-to-use Ruby cloud solution that provides a host of benefits, including:

  • Deploy your application in seconds with a simple git push.
  • Use your own domain name and benefit from the automatic configuration of HTTPS certificates for enhanced security.
  • Enjoy peace of mind with automatic backups, one-click updates, and straightforward, transparent, and predictable pricing.
  • Get optimal performance and robust security thanks to a private and dedicated VM.

Save time and simplify your life: it only takes 5 minutes to try Stackhero's Ruby cloud hosting solution!

At some point, you will need to manage secrets such as tokens or passwords for databases and third-party services. It is essential to store these secrets securely. Avoid embedding secrets directly in your repository or code because this poses a serious security risk.

Environment variables offer two significant benefits:

  1. Your secrets will not be stored in your Git repository, reducing the risk if someone gains access to your source code.
  2. You can use different credentials for different environments. For example, connect to your production database in production while using a development database during development.

For development, create a .env file in the root of your project. This file will be excluded from Git so that it is never committed. Use the dotenv gem to automatically load the .env file.

First, add the dotenv-rails gem to your Gemfile:

# Gemfile
gem 'dotenv-rails', groups: [:development, :test]

Then install the gem:

bundle install

Next, create a .env file at the root of your project and add your variables:

RAILS_ENV="development"
DATABASE_PASSWORD="secretPassword"
THIRD_API_PRIVATE_KEY="secretKey"
# ...

Finally, ensure the .env file is ignored by Git:

echo '.env*' >> .gitignore

For staging and production, the .env file is not secure or practical because it cannot be stored in a Git repository. Instead, Stackhero provides a secure solution for managing environment variables directly in your Ruby service configuration.

You can set these variables via the Stackhero dashboard by selecting your Ruby service and clicking the "Configure" button.

In Ruby, you can easily access environment variables using ENV. For example, to retrieve DATABASE_PASSWORD, use:

ENV['DATABASE_PASSWORD'] # => 'secretPassword'

Here is an example of how to connect to a RabbitMQ server using environment variables:

require 'bunny'

class RabbitMQClient
  def initialize
    @connection = Bunny.new(hostname: ENV['RABBITMQ_HOST'],
                            username: ENV['RABBITMQ_USERNAME'],
                            password: ENV['RABBITMQ_PASSWORD'])
    @connection.start
  end

  def publish(queue_name, message)
    channel = @connection.create_channel
    queue = channel.queue(queue_name)
    channel.default_exchange.publish(message, routing_key: queue.name)
  end

  def close
    @connection.close
  end
end

On the development platform, your .env file might include:

RABBITMQ_HOST='127.0.0.1'
RABBITMQ_USERNAME='developmentUser'
RABBITMQ_PASSWORD='developmentPassword'

For production and staging, define your environment variables in the Stackhero dashboard under the Ruby service configuration as shown below:

RABBITMQ_HOST='<XXXXXX>.stackhero-network.com'
RABBITMQ_USERNAME='production'
RABBITMQ_PASSWORD='secretProductionPassword'