Step 2: Configure Secrets
Overview
- Configure
.kamal/secrets
In your config/deploy.yml
, you listed your secrets but not their values. Those values are extracted using a script that you can find in .kamal/secrets
.
.kamal/secrets | |
---|---|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 |
|
This file has examples of four ways to get your secrets: from a password manager, obtaining the output from a command, or from the environment, or from a file. The password manager is the most secure, and is the one we recommend you use.
Uncomment this section, select the appropriate adapter,
and add the Object Storage (S3) secrets, unless you have already added them to config/credentials.yml.enc
.
Note
Other popular ways are .env
files and, for Rails, config/credentials.yml
. .env
files are the easiest to use, but also are the easiest to accidentally expose your secrets.
config/credentials.yml
is better, but you still are left with a master key that you need
to provide in other ways.
Now place all of the secrets you gathered while assembling your ingredients into your password manager. You can find the MASTER_KEY
in your Rails app at config/master.key
.
While it is possible to include your secrets here, doing so is strongly discouraged. If you choose to do it anyway, be sure to add this file to your .gitignore
and .dockerignore
files.