Secrets and Configuration


Our applications use configuration values stored in a local YAML file. The defaults for these values are defined in config/application.yml.default. Configuration and secrets can be tailored per environment by merging default values with an environment-specific YAML file.

  • In local development, this file lives at config/application.yml and is created during setup.
  • In deployed environments, this file is downloaded from S3 when activating or deploying an instance (see deploy/activate and the activate.rb).

Changing configuration for a deployed application requires a passenger restart, since this merge step only happens at activation.

The S3 buckets that contain secrets are versioned, so we can recover old versions if needed.

At the end of the day, since these are just files in S3, you can use whatever workflow you want to download, edit, and write them. Make sure you clean up files on your local machine when done.

Using app-s3-secret

The easiest way to interact with secrets is the app-s3-secret command in the identity-devops repo. See guide to app-s3-secret for more information.

Configuration in Rails Apps

To use a value in the application.yml in our Rails apps, follow these steps. The IDP, PKI, and Dashboard apps all use this approach, with files named the same way.

  1. Declare the feature flag in lib/identity_config.rb’s #build_store method.


    config.add(:my_feature_flag, type: :boolean)

    View in IDP repo, PKI repo, Dashboard repo

  2. Configure a default value in config/application.yml.default at the top level of the file. If there is no value specified in S3 for this config, this default value will be used in production.


    my_feature_flag: 'true'

    View in IDP repo, PKI repo, Dashboard repo

  3. To use the value in code, access it via as a property of