Creating .env file for secret keys

Questions / Help
, ,
1

Hi all!

Working on setting S3 bucket credentials for file uploads with Waffle and ExAws-

I don’t quite understand how to set the variables correctly for the secret keys for the S3 bucket. For example-

config.exs

config :waffle,
  storage: Waffle.Storage.S3,
  bucket: {:system, "AWS_BUCKET_NAME"},
  asset_host: {:system, "ASSET_HOST"}

config :ex_aws,
  json_codec: Jason,
  access_key_id: "123456789abcdef",
  secret_access_key: "987654321asdfghj ",
  region: "US somewhere"

Following along with this example, I can theoretically set env variable to be something like-

export(AWS_ACCESS_KEY_ID = "123456789abcdef")
export(AWS_SECRET_ACCESS_KEY = "987654321asdfghj ")
export(AWS_REGION = "US somewhere")
export(AWS_BUCKET_NAME = "bucket")

Where / how do I create the .env file? Im not understanding that.

Thanks for any help!

1 Like
2

export should be run at the bash (or whatever) prompt. You set the environment variables, then start elixir, which will read them.

That post is telling you to create a file called .env in your project directory.

.env

export AWS_ACCESS_KEY_ID = "123456789abcdef"
export AWS_SECRET_ACCESS_KEY = "987654321asdfghj " 
export AWS_REGION = "US somewhere"
export AWS_BUCKET_NAME = "bucket"

Bash prompt:

source .env
mix phx.server

Edit: I should say that the .env file from that post you linked is not the typical format. See below.

5 Likes
3

Thanks for clarifying that!

4

Here’s how I do it:

I use dotenvy package to read environment variables in. See: GitHub & Hex Package.

In mix.ex:

defp deps do
    [
       ...
       {:dotenvy, "~> 0.6.0"},
       ...
    ]
end

In runtime.exs

# ==============================================================================
# config/runtime.exs is executed for all environments, including
# during releases. It is executed after compilation and before the
# system starts, so it is typically used to load production configuration
# and secrets from environment variables or elsewhere. Do not define
# any compile-time configuration in here, as it won't be applied.
# ==============================================================================
import Config
import Dotenvy

source!(["config/.env.#{config_env()}", System.get_env()])

# ==============================================================================
# ExAws Configuration
# ==============================================================================
debug_requests = env!("DEBUG_REQUESTS", :boolean, false)
aws_access_key_id = env!("AWS_ACCESS_KEY_ID", :string)
aws_secret_access_key = env!("AWS_SECRET_ACCESS_KEY", :string)
max_attempts = env!("MAX_ATTEMPTS", :integer)
base_backoff_in_ms = env!("BASE_BACKOFF_IN_MS", :integer)
max_backoff_in_ms = env!("MAX_BACKOFF_IN_MS", :integer)
s3_host = env!("S3_HOST", :string)

config :ex_aws,
  debug_requests: debug_requests,
  access_key_id: aws_access_key_id,
  secret_access_key: aws_secret_access_key,
  http_client: DerpyCoder.ExAwsHttpClient, # HTTP Client, so ExAws can use Finch instead of Hackney!!
  json_codec: Jason

config :ex_aws, :s3,
  scheme: "https://",
  host: s3_host

config :ex_aws, :retries,
  max_attempts: max_attempts,
  base_backoff_in_ms: base_backoff_in_ms,
  max_backoff_in_ms: max_backoff_in_ms

In .env.dev:

# ExAws Config
AWS_ACCESS_KEY_ID=derp
AWS_SECRET_ACCESS_KEY=wubalubadubdub
MAX_ATTEMPTS=10
BASE_BACKOFF_IN_MS=10
MAX_BACKOFF_IN_MS=10_000
S3_HOST=s3.derpycoder.site
DEBUG_REQUESTS=true

My Start command:

elixir --sname derpycoder --cookie wubalubadubdub -S mix phx.server

P.S. I can include code for the ExAwsHttpClient, that allows usage of Finch here, if you want.

P.P.S. I would suggest that for small files or images, that you do not want to process in the server, you should upload directly to S3 from the front end.
And for larger files, use a TUS server to upload file to the server, and after processing it, upload it to S3 bucket.

2 Likes
5

I know this is an old thread, but I wanted to just query here whether secret files should be placed in gitignore so that if the answer is yes it is present in this thread.

6

1000% yes. Never commit secrets to your git repo.

4 Likes