Rails.application.credentials.aws reserved for aws credentials ๐
majkelcc opened this issue ยท 1 comments
Recently in our application that uses this gem, we migrated from previous Rails.secrets mechanism to the new Rails.application.credentials. Unfortunately, after moving the same keys from config/secrets.yml.enc to new encrypted credentials we saw an error about invalid configuration option: ':rds_instance', which we stored under Rails.application.credentials.aws.
I tried to look in aws-sdk-ruby for code that automatically loads these credentials. With no luck there, I assumed it was Rails itself that's responsible. I was very happy to see that this was not the case.
Reserving keys in the standard credentials mechanism is bad for many reasons::
- It's magic and unexpected
- Was not present in previous
Rails.application.secretsmaking the migration difficult - This
invalid configuration optionerror is difficult to debug (validation happens late in a different gem andaws-sdk-railsdoes not appear in the stack trace) - Most importantly, if more gems would start reserving their own keys in
Rails.application.credentials, it would be a mess
I would want to call for this behavior to be deprecated and eventually removed from defaults.
I've been looking into this and agree that the current process of loading all values under the aws namespace in the Rails Encrypted Credentials is a bad practice. I've created a PR to address this: #33. This change prevents the "aws" namespace from being "reserved" while still allowing users of this gem to have their aws credentials loaded.