[Rails] Manage secret keys etc. with credentials.yml


I will summarize the credentials that appeared from Rails 5 series as a memorandum.

What are credentials?

It is a file to store the private key etc.

The contents of this file are encrypted by master.key, so anyone who does not know the correct master.key cannot see the contents.

The contents of credentials can be called as variables in other files if there is information on master.key, so it may be convenient to put the API key etc. in this file.

The master.key and credentials files are created automatically when you do rails new, and master.key is in .gitignore by default, so you don't have to worry about leaking it from github.

Advance preparation

This time it is assumed that VScode will be used.

First, open the palette with command + shift + P in VScode. Then type shell in the search box to install the shell.

You can now edit your credentials file in VScode from your terminal.

How to set

Open the credentials file in VScode with the following command.


$ EDITOR='code --wait' rails credentials:edit

By default, the example is commented out on the first three lines, so you can copy it.


  access_key_id: 123
  secret_access_key: 345q

The first line describes what kind of group it is, and the second and third lines describe the id and access key. The contents of the group need to be indented.

You can set multiple settings instead of just one, so try setting them.


  access_key_id: 123
  secret_access_key: 345q

  email: '[email protected]'
  password: 'sample1234'


You need to close the VScode tab to save the credentials file. If it is closed and saved correctly, the following message will be displayed in the terminal. New credentials encrypted and saved.

How to call

To call the contents, you can write the following in the ruby file.

Rails.application.credentials[:group name][:contents]

In this example, it can be used as follows.


You can check it from the terminal on the console, so it's a good idea to check it when you edit the credentials file. Open the console with rails c and check it. cb6ac75e17de6feb8c00047fc7b39d02.png You can call it properly.


By sharing master.key, such as when developing a team, other people can see and edit the contents of credentials. I think it's a good idea to share master.key with a messaging app.

However, even if you are a trusted companion, you should not share your personal aws id and access key with credentials. (Think of it as sharing your credit card number and verification code.)

Carefully decide what information you should share and what you shouldn't. Don't regret being betrayed and developing like Kaiji! Lol

Recommended Posts

[Rails] Manage secret keys etc. with credentials.yml
[Rails] Let's manage constants with config gem
Hashing object arrays with Rails (inject, index_by, etc.)
Rails deploy with Docker
[Rails 6] RuntimeError with $ rails s
Handle devise with Rails
[Rails] Learning with Rails tutorial
[Rails] Test with RSpec
[Rails] Development with MySQL
Supports multilingualization with Rails!
Double polymorphic with Rails