Prod.secret.exs or env. variables?

Raddi_On · November 10, 2017, 12:47pm

What do you use among those 2 for storing your secret keys and passwords? Are they more or less equal?

tyro · November 10, 2017, 1:19pm

I think it depends on how you deploy your app. We use Heroku so env variables are the best solution for us.

LostKobrakai · November 10, 2017, 1:34pm

The prod.secret.exs files do have the problem that they’re compile time only. So you cannot change the values after compilation / creating a release.

wmnnd · November 10, 2017, 4:23pm

I find that prod.secret.exs is a real anti-pattern. Putting configuration that is specific to a particular environment/deployment in your code is generally not a good idea.

bobbypriambodo · November 10, 2017, 4:56pm

Deleting prod.secret.exs is always the first thing I do when starting a Elixir + Phoenix project the env variables approach is more standard, and you can reuse it for your frontend if you use e.g. webpack’s EnvironmentPlugin.

kelvinst · November 10, 2017, 5:43pm

This is a huge thing to notice about mix config! Always keep this in mind!

chensan · November 13, 2017, 1:55am

I prefer env variables, so you don’t have to make another release just for some changes in prod.secret.exs.

OvermindDL1 · November 13, 2017, 3:40pm

What I wish is if there was an easy way to, say, get database connection inform from a database (easy) then use information in the database to populate the rest of the values (easy with shell script, but that is not… right… ^.^;) before things like the endpoint load.

CptnKirk · November 13, 2017, 4:55pm

If you’re deploying on EC2 you can give your EC2 instance a role, then use role based security to protect environmental secrets and other bootstrapping information in S3.

As part of your app, have it take an env.props at startup. Point this to a local file during development and a remote url in formal environments.

I’ve found this works pretty well.

hassan · November 13, 2017, 5:14pm

If you’re deploying on EC2 you can give your EC2 instance a role, then use
role based security to protect environmental secrets and other bootstrapping
information in S3.

Or use AWS Parameter Store:

jc00ke · November 15, 2017, 8:24pm

We ended up using Vault (which the new version has cloud auto-unseal) and we forked VaultEx https://github.com/brixen/vaultex

I don’t have the code anymore, but we treated the application config like a write-through cache. If a value didn’t already exist, we could look it up in :FILE, :ENV or :VAULT.