Today I Learned

hashrocket A Hashrocket project

Extract Secrets from 1Password for Kamal Deploy

Kamal, the default deployment tool for Rails, has some really great features. One that I just discovered today is kamal secrets.

You can use this utility to expand sensitive credentials from external sources during deployment. Out of the box, it supports 1Password, Bitwarden (and Secrets Manager), LastPass, AWS Secrets Manager, Doppler, and GCP.

You can run the command for SECRETS from the .kamal/secrets file manually to test everything out.

A pre-req for using 1Password is that you will need to install the OP CLI and login to your vault: 

brew install 1password-cli

op signin

Next you'll need your account id. You can get that with - 

op whoami

Then verify you can read your secrets. The output of the command inside the $(...) is a stringified JSON -

SECRETS=$(kamal secrets fetch --adapter 1password --account op_account_id --from "op://Example/ApiKeys" KAMAL_REGISTRY_PASSWORD)

The output will look something like this -

\{\"Example/ApiKeys/KAMAL_REGISTRY_PASSWORD\":\"xxxxxxxxxxxxx\"\}

The last part is expanding this. You can pass this JSON string to kamal secrets extract to extract the value from the key in the JSON.

kamal secrets extract KAMAL_REGISTRY_PASSWORD ${SECRETS}
See More #rails TILs
Looking for help? Hashrocket has been an industry leader in Ruby on Rails since 2008. Rails is a core skill for each developer at Hashrocket, and we'd love to take a look at your project. Contact us and find out how we can help you.