Skip to content

Embed Secrets Credentials into the Release

Jump to bottom Edit New page
Tony van Riet edited this page Nov 12, 2016 · 3 revisions

If you want to embed configuration containing secrets / credentials into the release which is not included into the repository (recommended), you have several options.

If you use different credentials for different deploy hosts or different deploy destinations (production / staging) - or different configuration in general - one option is to link the sys.config or vm.args. Which means not embedding them but installing them on the deploy hosts.

If the configuration including the secret credentials is the same for all deploy hosts or you deploy only to a single host you can also use a pre hook to copy the secret credentials from your development machine to the build host when building the release:

# config/config.exs
# checked in into your repository
...
import_config "secret.exs"
# .secret/production.secret.exs
# not checked in into the repository
# available only on your local machine

config your_app, YourApp.Repo,
  database: "your_database"
  username: "your_user_name"
  password: "your_secret_password"
# exclude secret credentials from repository
echo ".secret/production.secret.exs" >> .gitignore
# .deliver/config

pre_erlang_get_and_update_deps() {
  # copy it from the local machine to the build host when building
  local _local_secret_config_file=".secret/production.secret.exs"
  if [ "$TARGET_MIX_ENV" = "prod" ]; then
    status "Copying '$_local_secret_config_file' file to build host"
    scp "$_local_secret_config_file" "$BUILD_USER@$BUILD_HOST:$BUILD_AT/config/secret.exs"
  fi
}

Or if the config containing the secrets which should be embedded into the release is stored on the buildhost itself, e.g. at ~/production-config/secret.exs:

pre_erlang_get_and_update_deps() {
  # copy it on the build host to the build directory when building
  local _secret_config_file_on_build_host="~/production-config/secret.exs"
  if [ "$TARGET_MIX_ENV" = "prod" ]; then
    status "Copying '$_secret_config_file_on_build_host' file to build dir"
    __sync_remote " # execute on build host
      cp '$_secret_config_file_on_build_host' '$BUILD_AT/config/secret.exs'
    "
  fi
}
Add a custom footer
Add a custom sidebar
Clone this wiki locally