Using Rails Credentials within Gitlab-CI

I have certain environment variables I need to utilize within Gitlab CI. I need these variables to be within Rails credentials, not stored on the Gitlab runners via settings.

I have been working on this for about a week now and am struggling to find a working solution. The ideal format would be able to use ERB-style markdown (i.e. - <%= Rails.application.credentials[:my_credential] %>) but of course I’m not able to preprocess the ERB and have Gitlab CI still function.

What is your preferred method of utilizing ENV vars on Gitlab CI without manually storing them in the runner?

I don’t know what exactly you mean by “not stored in the runner”.

You can write a script which will export those variables from ruby to GitLab Runner during runtime. I did something similar in PHP. See example Skipping cache archiving due to empty cache key

Hope this helps.

Thank you @dompie I have updated my question to be a bit clearer on that.

That seems like quite a handy format to pull variables out from Ruby in real time while keeping them secure. Thanks!

In this case I’m looking at upwards of 18-20 environment variables so I’m unsure if I should do separate scripts for each variable?

I sure wish there were a straightforward way to access Rails.application.credentials in my .gitlab-ci.yml

1 Like

I’m also looking for a simplified way of doing this. Consider that my Rails.application.credentials are extensively nested hashes I don’t think the masked variables in GitLab’s Settings -> CI/CD -> Variables section is a viable solution and dictates application design. What are other folks doing with their rails applications?

Update: I successfully got this working by adding two masked variables that contain the contents of config/master.key and config/credentials/production.key in GitLab settings:

And adding this to my .gitlab-ci.yml to create the master.key and config/credentials/production.key files to read the encrypted config/credentials.yml.enc and config/credentials/production.yml.enc, respectively: