Environment-specific configuration with Rails credentials

1043 views

                  class PaymentService
  def initialize
    Stripe.api_key = Rails.application.credentials.stripe[:secret_key]
  end

  def create_payment_intent(amount:, currency: 'usd')
    Stripe::PaymentIntent.create(
      amount: amount,
      currency: currency
    )
  end
end

                  # Encrypted file, edit with: rails credentials:edit --environment production
secret_key_base: [encrypted]

database:
  url: postgresql://user:pass@host:5432/dbname

redis:
  url: redis://redis-host:6379/0

stripe:
  publishable_key: pk_live_...
  secret_key: sk_live_...
  webhook_secret: whsec_...

aws:
  access_key_id: AKIA...
  secret_access_key: [encrypted]
  region: us-east-1
  bucket: production-uploads

jwt_secret: [encrypted]

Storing secrets in environment variables works but gets messy at scale with dozens of keys. Rails encrypted credentials provide a structured alternative where secrets live in version-controlled credentials.yml.enc files, encrypted with a master key stored outside the repo. I can have environment-specific credentials like credentials/production.yml.enc that override shared defaults. The rails credentials:edit command decrypts, opens an editor, and re-encrypts on save. This approach keeps sensitive configuration centralized and auditable while preventing accidental commits of plaintext secrets. The master key must be injected at deploy time via RAILS_MASTER_KEY env var or config/master.key file. I organize credentials hierarchically with namespaces for each service.

Alex Kumar

More from Alex Kumar

Environment-specific configuration with Rails credentials

0 Comments

More from Alex Kumar