jets credentials:edit [options]
Storing Encrypted Credentials in Source Control
credentials commands provide access to encrypted credentials,
so you can safely store access tokens, database passwords, and the like
safely inside the app without relying on a mess of ENVs.
This also allows for atomic deploys: no need to coordinate key changes to get everything working as the keys are shipped with the code.
Applications after Jets 5 automatically have a basic credentials file generated that just contains the secret_key_base used by MessageVerifiers/MessageEncryptors, like the ones signing and encrypting cookies.
For applications created prior to Jets 5, we’ll automatically generate a new
credentials file in
config/credentials.yml.enc the first time you run
If you didn’t have a master key saved in
config/master.key, that’ll be created too.
Don’t lose this master key! Put it in a password manager your team can access. Should you lose it no one, including you, will be able to access any encrypted credentials.
Don’t commit the key! Add
config/master.key to your source control’s
ignore file. If you use Git, Jets handles this for you.
Jets also looks for the master key in
ENV["JETS_MASTER_KEY"], if that’s easier to manage.
You could prepend that to your server’s start command like this:
Set up Git to Diff Credentials
bin/jets credentials:diff --enroll to instruct Git to call
bin/jets credentials:diff when
git diff is run on a credentials file.
Running the command enrolls the project such that all credentials files use the “jets_credentials” diff driver in .gitattributes.
Additionally since Git requires the driver itself to be set up in a config file
that isn’t tracked Jets automatically ensures it’s configured when running
Otherwise each co-worker would have to run enable manually, including on each new repo clone.
To disenroll from this feature, run
bin/jets credentials:diff --disenroll.
This will open a temporary file in
$EDITOR with the decrypted contents to edit
the encrypted credentials.
When the temporary file is next saved the contents are encrypted and written to
config/credentials.yml.enc while the file itself is destroyed to prevent credentials
Environment Specific Credentials
credentials command supports passing an
--environment option to create an
environment specific override. That override will take precedence over the
config/credentials.yml.enc file when running in that environment. So:
bin/jets credentials:edit --environment development
config/credentials/development.yml.enc with the corresponding
encryption key in
config/credentials/development.key if the credentials file
The encryption key can also be put in
ENV["JETS_MASTER_KEY"], which takes
precedence over the file encryption key.
In addition to that, the default credentials lookup paths can be overridden through
For editors that fork and exit immediately, it’s important to pass a wait flag, otherwise the credentials will be saved immediately with no chance to edit.
EDITOR="code --wait" jets credentials:edit
Accessing in App
Let’s say you have credentials like so:
❯ jets credentials:show
You can access them in the app like so:
❯ jets console
Remember, when you deploy this to Lambda you should set the
JETS_MASTER_KEY. You set it with Env Files. Otherwise the
Jets.application.credentials.xx values will return
-e, [--environment=ENVIRONMENT] # Specifies the environment to run this credentials under (test/development/production).