Secrets and Configuration


Our applications use configuration values stored in a local YAML file. The defaults for these values are defined in config/application.yml.default. Configuration and secrets can be tailored per environment by merging default values with an environment-specific YAML file.

  • In local development, this file lives at config/application.yml and is created during setup.
  • In deployed environments, this file is downloaded from S3 when activating or deploying an instance (see deploy/activate and the activate.rb).

The S3 buckets that contain secrets are versioned, so we can recover old versions if needed.

Using app-s3-secret

The easiest way to interact with secrets is the app-s3-secret command in the identity-devops repo. See guide to app-s3-secret for more information.

Configuration in Rails Apps

To use a value in the application.yml in our Rails apps, follow these steps. The IDP, PKI, and Dashboard apps all use this approach, with files named the same way.

  1. Declare the configuration value in lib/identity_config.rb’s #build_store method.


    config.add(:my_feature_flag, type: :boolean)

    View in IDP repo, PKI repo, Dashboard repo

  2. Configure a default value in config/application.yml.default at the top level of the file. If there is no value specified in S3 for this config, this default value will be used in production.


    my_feature_flag: 'true'

    View in IDP repo, PKI repo, Dashboard repo

  3. To use the value in code, access it via as a property of


This process can be used for any type of configuration value. To learn more about feature flags specifically, refer to the Feature Flags article for an overview of how they are used used.