Project

rails_kms_credentials

0.0
The project is in a healthy, maintained state
rails_kms_credentialscomplymd/rails_kms_credentialsHomepageDocumentationSource CodeBug TrackerWiki
Add support for different credentials for different kmss to Rails
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
 Popularity
Downloads
11,857
Stars
2
Forks
2
Watchers
7
 Releases
Current version
0.5.0
Total releases
12
First release
2022-11-01
Latest release
2024-07-29
 Pull Requests
Open Pull Requests
0
Closed Pull Requests
0
Merged Pull Requests
2
Pull Request Acceptance Rate
100%
 Development
Primary Language
Ruby
Licenses
MIT
Average date of last 50 commits
2023-02-19
Reverse Dependencies
0

 Dependencies

Runtime

activesupport
>= 5.0.0, < 8.0.0
httparty
~> 0.21.0
railties
>= 5.0.0, < 8.0.0
 Project Readme

rails-kms-credentials

This gem expands the capabilities of Rails.application.credentials to support fetching the credentials from a Key Management System.

Configuration

This gem will read config/kms_credentials.yml using Rails.application.config_for.

Key Description
store Stores The Key Managedment System to use.

Stores

Key Management System Config Value
Azure Key Vault azure_key_vault

Azure Key Vault

Credentials will be loaded from a Key Vault's Secrets.

All hyphens (-) in a secret name will be replaced with underscores (_) when put into credentials (ex. foo-bar -> foo_bar).

Credentials can be nested by separating the parent key from the child key with -- (ex. secret foo--bar--baz with a value of test will become {foo: {bar: {baz: "test"}}}.

Since Secrets cannot be empty in Azure Key Vault, if you need a key to show up in credentials, but need its value to be empty, then set the Secret's value to --EMPTY--.

Config

Key Description
vault The name of the Key Vault
client Client specific configuration. See Client Types.
client.type The Client Type to use.
client.secret_prefix The prefix that all secrets for this application will have. See Secret Prefix.

Secret Prefix

The prefix along with ---- will be added to the beginning of the secret name (ex. prefix: abc123 -> abc123----some-secret). May be specified with a string, or using your application's name by passing true (will use Rails.application.class.parent.to_s.underscore.dasherize).

Client Types

How to connect/authenticate to Azure Ket Vault.

Client client.type
Managed Identity managed_identity
Client Credentials client_credentials
Environment Access Token env_access_token
Managed Identity

This is the client to use when running on an Azure VM.

Config:

Key Description
client.type managed_identity
Client Credentials

This is the client to use when connecting from outside of Azure. See here.

You'll need to register an "App Registration" in Azure and grant it permission to access the Key vault secrets. See the wiki page for morehelp

Config

Key Description
client.tenant_id The directory tenant the application plans to operate against, in GUID or domain-name format.
client.client_id The application ID that's assigned to your app. You can find this information in the portal where you registered your app.
client.client_secret The client secret that you generated for your app in the app registration portal.
Environment Access Token

This is the client to use when you have an access token that can be loaded by setting an Environment variable.

The access_token may be fetched via Azure CLI. For example, you could authenticate via az login, then export the access_token into your session:

az account get-access-token --resource "https://vault.azure.net" --query "accessToken" -o tsv

Config:

Key Description
client.type env_access_token