Voltos

Storing local development credentials

You're busy working away on a project, trying to get a new feature committed so that your teammates can take a look and give you some feedback.

The only problem is they need a token set on their machine for the feature to work. Maybe it's the OAuth secret for logging in via a 3rd party service. Or it's the configuration for an external service you use for full-text search.

Just commit it into the repo and call it a day, right? I mean it's not like it's the end of the world if it gets exposed. It's just for development. You can rotate it later.

And the lies we tell ourselves

Hey, I need you to set a token for local dev for a new feature I just added. Can you open up Slack and I'll paste the secret in there, and I'll send you the other key via iMessage. Let me know when you’ve saved them so I can delete the chat history Every developer at some point

Deep down you know it's a bad practice.

Which is why you sit there rationalising to yourself why it's ok in just this instance. What's the likelihood this credential does make it out into production? That in the rush to address all the feedback you forget about this shortcut you took?

So what ends up happening is some painful dance of manual coordination where we keep the code and the secrets separate, and communicate over slightly more trusted channels.

Making a better way the easy way

I got sick of dealing with this every time in some fashion whenever I started working with a new project or new group of people.

So Daniel and I sat down to fix it.

We wanted a way to share our app credentials that was not only easier than all the alternatives, but was more secure.

Enter Voltos. Create a new bundle, and store all your app credentials in it securely:

1
2
3
4
5
6
$ voltos create stackshare-dev
Creating bundle… ⣯
Created a new bundle: stackshare-dev
It looks like you’ve got a .env file, should we import the settings (yes/no)? y
Setting credentials… ⣻
▸ Bundle in use: stackshare-dev

It's also a process wrapper. Now I can use the voltos run command to fetch those credentials back when I need them, and expose them as environment variables, without the need to store them on disk:

1
2
3
4
5
6
7
8
9
$ voltos run "foreman web"
Fetching credentials from Voltos... ⣻
Running in interactive mode...
Running process with environment sourced from 'stackshare-dev' bundle...

I, [2016-09-19T14:17:33.947000 #56244]  INFO -- : Refreshing Gem list
I, [2016-09-19T14:17:43.818834 #56244]  INFO -- : listening on addr=0.0.0.0:5000 fd=11
I, [2016-09-19T14:17:44.071576 #56244]  INFO -- : master process ready
I, [2016-09-19T14:17:44.084485 #56290]  INFO -- : worker=0 ready

If you'd like to share that bundle with a teammate you just need to grant them access via the CLI:

1
2
3
$ voltos share [email protected]
Sharing bundle… ⣯
Shared ‘stackshare-dev’ with [email protected]

You can find out more about how to get started with Voltos.

And we hope it's better and easier for you :)

Glenn Gillen

Co-founder of Voltos. I'm also an advisor to, and investor in, early-stage tech startups such as StackShare, Stamplay, GrapheneDB, Fossa, and Polybit. Ex-Heroku, ran Heroku Add-ons & Ecosystem.