Credentials for Bridgetown
This plugin adds Rails-like encrypted credentials to Bridgetown.
Credentials like passwords, access tokens and other secrets are often passed to sites each by it's own ENV variable. This is both uncool, non-atomic and therefore unreliable. Use this plugin to store your credentials in encrypted YAML files which you can safely commit to your source code repository. In order to use all of them in Bridgetown, you have to set or pass exactly one ENV variable holding the key to decrypt.
- Homepage
- API
- Author: Sven Schwyn - Bitcetera
Installation
First add this gem to your bundle:
$ bundle add bridgetown_credentials
Then enable it in config/initializers.rb:
init :bridgetown_credentials
For the time being, it's necessary to require this gem early in the boot process for the commands to be picked up. Add config/boot.rb to your site reading:
Bundler.setup(:default, Bridgetown.env)
require "bridgetown_credentials"
For safety, you should exclude key files from the source code repository:
bin/bridgetown apply "$(bundle info --path bridgetown_credentials)/bridgetown.automation.rb"
Secure Installation
This gem is cryptographically signed in order to assure it hasn't been tampered with.
To install it securely, add the author's public key as a trusted certificate and then install the bundle with the trust policy of your choice:
gem cert --add <(curl -Ls https://raw.github.com/svoop/bridgetown_credentials/main/certs/svoop.pem)
bundle install --trust-policy MediumSecurity
Usage
First Time
Make sure you have set the EDITOR variable to your favourite editor and then create a new credentials file:
echo $EDITOR
bin/bridgetown credentials edit
You might want to add something along the lines of:
foo: bar
aws:
access_key_id: awsXid
secret_access_key: awsXsecret
google:
maps:
api_key: goomXkey
places:
api_key: goopXkey
After saving the file, the following new files have been created:
config/
└─ credentials/
├─ development.key
└─ development.yml.enc
⚠️ Move the *.key files to a safe place such as a password manager now! Never check them into the source code repository!
The credentials you've edited above have been written to development.yml.enc and will be available when Bridgetown is in development mode.
To edit the credentials for production mode:
bin/bridgetown credentials edit -e production
To edit or use a credentials file from now on, you have to set the corresponding key as an ENV variable. The actual key is the content of the *.key file you should have tucked away above.
export BRIDGETOWN_DEVELOPMENT_KEY="10aabbccddeeff00112233445566778899"
export BRIDGETOWN_PRODUCTION_KEY="20aabbccddeeff00112233445566778899"
Unified Environments
If you prefer not to separate credentials between different environments:
rm config/credentials/production.*
mv config/credentials/development.yml config/credentials.yml
rmdir config/credentials
This simplifies the files to:
config/
└─ credentials.yml.enc
To edit or use this from now on, you have to set:
export BRIDGETOWN_CREDENTIALS_KEY="30aabbccddeeff00112233445566778899"
⚠️ If config/credentials.yml is present, any other credentials files are ignored.
Read
Throughout the Bridgetown stack, you can now use the credentials as follows:
Bridgetown.credentials.foo # => "bar"
Bridgetown.credentials.aws[:access_key_id] # => "awsXid"
Bridgetown.credentials.google.dig((:maps, :api_key) # => "goomXkey"
Commands
bin/bridgetown credentials edit– edit the credentialsbin/bridgetown credentials show– dump the decrypted credentials to STDOUT
Tests
bundle exec rake testto run the test suitescript/cibuildto validate with Rubocop and Minitest together
Development
You're welcome to submit issues and contribute code by forking the project and submitting pull requests.