Best way to share secret files (that are not .env*)

Hey all,

The Issue

so… In my Redwood project I am consuming the GoogleApi with a private key that is stored in a JSON file in my repo (google-key.json). This file is - of course - in my .gitignore. One of my services on the api side is importing this file and using it’s values.

Now, when I am deploying to my baremetal server, the secret is not transmitted.

Current workaround

  1. I deploy with yarn rw deploy baremetal production
  2. I rsync my secret file to the /var/www/app directory
  3. I cp google-key.json to the correct location in the ./current/ directory.

Of course this is not sustainable. Therefore I want to ask around how you would solve this issue.

Thanks in advance!

Can you not use a .env file with this project (or don’t want to)? What I would do is keep that key in .env and use it on the api side with something like process.env.GOOGLE_API_KEY. Now log into the server and add that same value to the .env file on the server. On the next deploy, the .env file on the server is symlinked into the newly deployed directory, and the app will have access to all of those values.

If you can’t do that for whatever reason, that’s where the lifecycle events come into play: you can insert your own command before/after any of the existing steps in the deploy and do whatever you want. These commands are all executed on the server, however…I’m trying to think of a way to get some data from the client into them before they’re executed. I don’t think the deploy.toml file is run through any kind of string replacement before being run, so you can’t just insert a ${fs.readSync('google-key.json')} and have the value show up. But, you could do something similar to how the .env file works: manually add google-key.json to the server, in the root directory of your app (the one with all the timestamp directory deploys) and then add a lifecycle event that copies the file from there to the deploy directory:

symlinkCurrent = 'cp ../google-key.json .`

But if you’re going to that, you may as well just put the value in .env and it’ll automatically work as part of the default Baremetal config!

1 Like

Why not encrypt them? Maybe this is helpful Encyrpted Environment Variables

1 Like