From needing to hide API keys to app authorization keys and secrets, dotenv is the gem you want to use in order to protect your projects credentials. As a developer, you don’t want your personal project credentials to be used by those who fork or clone your project.
API keys are vulnerable, as most API’s require them to allow access for each request they receive. Here are a few reasons to protect API keys:
Some API’s only allow you to make so many API calls a day/month/year before making you pay money to continue to use the API.
There are API’s that limit the amount of calls you can make in a specific time period.
API keys can be suspended due to use outside of their terms of service.
This is where dotenv comes into play. What does dotenv do exactly? As a gem, “dotenv loads variables from a .env file into ENV when the environment is bootstrapped.” In layman’s terms, dotenv takes variables that we place in a .env file and makes them accessible by calling ENV[‘EXAMPLE_KEY’]. We protect this .env file and the keys inside it by placing it in our .gitignore file. Now, let’s get into the installation and usage instructions for dotenv.
Installation
Add this line to your application’s Gemfile:
gem ‘dotenv-rails’
And then run bundle install in your terminal.
Create your .env file in the root of your project directory. You could do this manually or by running touch .env in your terminal.
Usage
Write your credentials in .env
EXAMPLE_API_KEY=YOURAPIKEYHERE
Upon your application loading, the variables in this file will be available in ENV. You can call them by using:
ENV[“EXAMPLE_API_KEY”]
Lastly, you don’t want to forget to protect those API keys. Make sure to include .env in your .gitignore file!!!!
There you go, you are all set to protect your API keys by using the dotenv gem.
Happy coding!
Resources
API Key Protection
The Simplest and Powerful Ruby Gem — Dotenv
Dotenv Documentation
Top comments (1)
Securing Configuration Files on AWS
So if you aren't suppose to commit you dotenv, application.yml, or secrets.yml then how do you get those configuration files onto your server? Well it depends.
Heroku, OpsWorks and Elastic Beanstalk have a place where you can environment variables (env vars) into a GUI which get passed to your instances but sometimes we aren't so lucky to have a GUI such as when you are provisioning an instance manually eg. Linode, Digital Ocean or EC2 instances.
So what you can do instead if store your configuration file on S3, System Managers Parameter Store or AWS Secrets Manager. Then when you deploy you have a script triggered that will use the AWS SDK to pull from one of the three services I suggested.
Another good reason to store your configuration file in one of the 3 AWS services I mentioned is you can apply encryption using KMS and can even restrict access to specific users so only those who are in the need to know basis can actually see the configuration file.
In my Video on AWS Security I show more in detail how to do this specific to configuration files.
Figaro vs DotEnv
I wanted to suggest an alternative to dotenv as Figaro I think is more wildly adopted in the Rails community. Though dotenv is quite universal though either or will get the job done. Here's the difference which I pulled from the Figaro's github page:
Configuration File
Configuration File Format
Security vs. Convenience
Framework Focus