Ruby on Rails、Paperclip、Heroku、GitHub 和 AWS - 保护密钥
我正在使用 Heroku 托管的 RoR,我想使用回形针将文件存储在 s3 上。我的源代码托管在 github 上,全世界都可读。对世界其他地方保密密钥的最佳做法是什么?
Paperclip 建议将访问密钥存储在配置文件(或代码)中,例如我有:
file: config/s3.yml
access_key_id: my_access_key_id
secret_access_key: my_very_secret_key
bucket: bucket_name
Heroku 的工作方式是将代码提交到本地 git,然后将其推送到 Heroku。 由于我也在使用 github,所以我也将相同的代码推送到 github。这意味着我也将密钥推到那里。
我目前正在使用一个世界可读的 github 帐户,所以如果我向 github 付费,我可以解决一半的问题,但我仍然对代码中配置文件中的密钥不满意。我不知道是否有更好的做法。
保密密钥并仍然使用上述库和服务列表的最佳实践是什么?
顺便说一句,我上周才开始使用 ror 和 heroku,所以我可能被认为是新手,请体谅;)谢谢!
I'm using RoR hosted by Heroku and I'd like to store files on s3 using paperclip. My source code is hosted on github and is world readable. What is the best practice to keep the keys a secret from the rest of the world?
Paperclip suggests that the access keys are stored in a configuration file (or in code), so for example I have:
file: config/s3.yml
access_key_id: my_access_key_id
secret_access_key: my_very_secret_key
bucket: bucket_name
Heroku works by committing code to local git and then pushing it to Heroku.
Since I'm also using github, I push the same code to github as well. That means that I push the secret keys there too.
I'm currently using a world-readable github account, so if I payed github I could make half the problem go away but still I'm not happy with secret keys lying in a configuration file in code. I don't know if there's a better practice for this though.
What is the best practice for keeping the keys secret and still using the above mentioned list of libraries and services?
BTW, I've only started with ror and heroku last week so I may be considered a newbe, please be considerate ;) Thanks!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
您需要使用 heroku 应用程序中的 ENV 变量。
如果您执行 heroku 配置,您可以访问所有 ENV 变量。您只需添加一些并直接在您的应用程序中使用它。
使用此技巧,您不需要更新代码来更改配置,并且如果代码库中没有定义配置,则无需更改配置。
在你的 s3.yml 中你只需要做:
并在你的 heroku 应用程序中添加这个 ENV VARIABLE
You need use the ENV variable from your heroku app.
If you do a heroku config you can have access to all of your ENV variable. You just add some and use it directly in your application.
With this trick you don't need update your code to change your configuration and the configuration if not define in your code base.
In your s3.yml you just need do :
And add this ENV VARIABLE in your heroku app
不久前,亚马逊发布了官方 AWS SDK for Ruby。它与 S3 配合得很好,开箱即可支持美国、欧洲和日本的 S3 实例,并且维护良好。
我为 Paperclip 创建了一个名为 paperclip-aws 的存储模块,可与 AWS SDK 配合使用。
请随意使用它。我希望它会有所帮助。
Not long ago Amazon released official AWS SDK for Ruby. It works pretty well with S3, supports American, European and Japanese S3 instances from the box and well maintained.
I have created a storage module for Paperclip called paperclip-aws to works with AWS SDK.
Feel free to use it. I hope that it will help.
呃..如果你使用heroku,就没有其他办法了。您必须将所有内容放入存储库中并将其推送给他们。
Reg github,如果您要使用公共存储库 - 如果您需要这些密钥来使您的应用程序运行,请“私有”它们。即使您将私有 github 存储库的访问权限授予选定的少数人,您也必须信任您的团队成员。
我不知道还有其他想法。
err.. there is no other way if you are using heroku. You've got to put everything in a repo and push it to them.
Reg github, if you are going to use public repos - "private" them if you need those keys to make your app work. You got to trust your team members even if you give access to that private github repo to a selected few people.
I am not aware of any other ideas.