The latest articles on DEV Community by Derrick Amenuve (@godsloveady). https://dev.to/godsloveady https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F375077%2F020c97a3-3c2d-4d0e-9528-c8a18738cabb.jpeg https://dev.to/godsloveady en Derrick Amenuve Sat, 23 May 2026 11:55:55 +0000 https://dev.to/godsloveady/storing-kamal-secrets-in-aws-secrets-manager-and-deploying-to-a-cheap-hetzner-vps-18b0 https://dev.to/godsloveady/storing-kamal-secrets-in-aws-secrets-manager-and-deploying-to-a-cheap-hetzner-vps-18b0 <p>I ran into a problem with Kamal. My <code>.kamal/secrets</code> file was full of API keys sitting in plaintext on my laptop. Anyone with access could read them all.</p> <p>TLDR; Use <a href="https://kamal-deploy.org/docs/commands/secrets/" rel="noopener noreferrer">Kamal</a> with <a href="https://aws.amazon.com/secrets-manager/" rel="noopener noreferrer">AWS Secrets Manager</a> and deploy to a <a href="https://hetzner.cloud/" rel="noopener noreferrer">Hetzner</a> VPS. No plaintext secrets, cheap hosting, compliance happy.</p> <p><strong>The problem</strong></p> <p>Kamal is great for deploying apps. But by default secrets are in a plaintext file. For SOC 2 and GDPR that does not work. You need a managed store. I went with AWS Secrets Manager.</p> <p>But then I hit another issue. The <code>kamal secrets fetch --adapter aws_secrets_manager</code> command with <code>--from</code> expects each key to be its own AWS secret. If you store everything as one JSON blob (like I did), you get:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>ERROR (RuntimeError): myapp/production/secrets//DEEPGRAM_API_KEY: Secrets Manager can't find the specified secret. </code></pre> </div> <h2> Step 1: Hetzner VPS </h2> <p><a href="https://hetzner.cloud/" rel="noopener noreferrer">Hetzner</a> CAX series starts at around 4 euro a month. I use the CX22 with 2 vCPUs and 4GB RAM. Enough for production.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># On your Hetzner server</span> apt update <span class="o">&amp;&amp;</span> apt <span class="nb">install</span> <span class="nt">-y</span> docker.io <span class="c"># Copy your SSH key so Kamal can connect</span> ssh-copy-id root@your-server-ip </code></pre> </div> <p>Your <code>config/deploy.yml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">servers</span><span class="pi">:</span> <span class="na">web</span><span class="pi">:</span> <span class="na">hosts</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">yourdomain.com</span> <span class="na">proxy</span><span class="pi">:</span> <span class="na">ssl</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">hosts</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">yourdomain.com</span> <span class="na">healthcheck</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/health/ready</span> <span class="na">registry</span><span class="pi">:</span> <span class="na">server</span><span class="pi">:</span> <span class="s">docker.io</span> <span class="na">username</span><span class="pi">:</span> <span class="s">your-docker-user</span> <span class="na">password</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">KAMAL_REGISTRY_PASSWORD</span> </code></pre> </div> <p>You need a <a href="https://hub.docker.com/" rel="noopener noreferrer">Docker Hub</a> account and a personal access token for <code>KAMAL_REGISTRY_PASSWORD</code>.</p> <h2> Step 2: Create the secret in AWS </h2> <p>In the <a href="https://aws.amazon.com/secrets-manager/" rel="noopener noreferrer">AWS Secrets Manager</a> Console:</p> <ol> <li>Go to Secrets Manager &gt; Store a new secret</li> <li>Select "Other type of secret"</li> <li>Switch to plaintext tab and paste your JSON </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"DEEPGRAM_API_KEY"</span><span class="p">:</span><span class="w"> </span><span class="s2">"your_deepgram_key"</span><span class="p">,</span><span class="w"> </span><span class="nl">"ASSEMBLY_AI_API_KEY"</span><span class="p">:</span><span class="w"> </span><span class="s2">"your_assemblyai_key"</span><span class="p">,</span><span class="w"> </span><span class="nl">"REDIS_URL"</span><span class="p">:</span><span class="w"> </span><span class="s2">"redis://:password@your-redis:6379"</span><span class="p">,</span><span class="w"> </span><span class="nl">"KAMAL_REGISTRY_PASSWORD"</span><span class="p">:</span><span class="w"> </span><span class="s2">"your_docker_token"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <ol> <li>Name it <code>myapp/production/secrets</code> </li> <li>Click Store</li> </ol> <p>Pick a region close to your server. If your Hetzner box is in Germany, use <code>eu-central-1</code> (Frankfurt). Keeps latency low and GDPR happy.</p> <h2> Step 3: IAM user for your laptop </h2> <p>Your laptop needs permission to read the secret during deploy.</p> <ol> <li>Go to IAM &gt; Users &gt; Create user</li> <li>Name it <code>kamal-deploy</code> </li> <li>Uncheck console access (CLI only)</li> <li>Create a group called <code>secrets-manager</code> with the SecretsManagerReadWrite policy</li> <li>Add an inline policy for batch reading: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"secretsmanager:GetSecretValue"</span><span class="p">,</span><span class="w"> </span><span class="s2">"secretsmanager:DescribeSecret"</span><span class="p">,</span><span class="w"> </span><span class="s2">"secretsmanager:BatchGetSecretValue"</span><span class="p">,</span><span class="w"> </span><span class="s2">"secretsmanager:ListSecrets"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <ol> <li>Add your user to the group</li> </ol> <p>IAM policies can take a minute to propagate. If it fails at first, wait 30 seconds and try again.</p> <h2> Step 4: Configure AWS CLI </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws configure <span class="c"># AWS Access Key ID: paste from IAM user</span> <span class="c"># AWS Secret Access Key: paste</span> <span class="c"># Default region name: eu-central-1</span> <span class="c"># Default output format: json</span> </code></pre> </div> <p>Test it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws secretsmanager get-secret-value <span class="nt">--secret-id</span> myapp/production/secrets <span class="nt">--query</span> SecretString <span class="nt">--output</span> text | <span class="nb">head</span> <span class="nt">-c</span> 50 </code></pre> </div> <p>You should see the start of your JSON.</p> <h2> Step 5: Format your .kamal/secrets file </h2> <p>This is where I got stuck. The <code>--from</code> flag wants one AWS secret per key. Having 20 separate secrets is annoying. Check the <a href="https://kamal-deploy.org/docs/commands/secrets/" rel="noopener noreferrer">Kamal secrets docs</a> for more on this.</p> <p>Instead I use the AWS CLI with Python extraction. Each line is self contained:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># AWS Secrets Manager: myapp/production/secrets (eu-central-1)</span> <span class="nv">DEEPGRAM_API_KEY</span><span class="o">=</span><span class="si">$(</span>python3 <span class="nt">-c</span> <span class="s2">"import json,sys; print(json.loads(sys.argv[1])['DEEPGRAM_API_KEY'])"</span> <span class="s2">"</span><span class="si">$(</span>aws secretsmanager get-secret-value <span class="nt">--secret-id</span> myapp/production/secrets <span class="nt">--query</span> SecretString <span class="nt">--output</span> text<span class="si">)</span><span class="s2">"</span><span class="si">)</span> <span class="nv">ASSEMBLY_AI_API_KEY</span><span class="o">=</span><span class="si">$(</span>python3 <span class="nt">-c</span> <span class="s2">"import json,sys; print(json.loads(sys.argv[1])['ASSEMBLY_AI_API_KEY'])"</span> <span class="s2">"</span><span class="si">$(</span>aws secretsmanager get-secret-value <span class="nt">--secret-id</span> myapp/production/secrets <span class="nt">--query</span> SecretString <span class="nt">--output</span> text<span class="si">)</span><span class="s2">"</span><span class="si">)</span> <span class="nv">REDIS_URL</span><span class="o">=</span><span class="si">$(</span>python3 <span class="nt">-c</span> <span class="s2">"import json,sys; print(json.loads(sys.argv[1])['REDIS_URL'])"</span> <span class="s2">"</span><span class="si">$(</span>aws secretsmanager get-secret-value <span class="nt">--secret-id</span> myapp/production/secrets <span class="nt">--query</span> SecretString <span class="nt">--output</span> text<span class="si">)</span><span class="s2">"</span><span class="si">)</span> <span class="nv">KAMAL_REGISTRY_PASSWORD</span><span class="o">=</span><span class="si">$(</span>python3 <span class="nt">-c</span> <span class="s2">"import json,sys; print(json.loads(sys.argv[1])['KAMAL_REGISTRY_PASSWORD'])"</span> <span class="s2">"</span><span class="si">$(</span>aws secretsmanager get-secret-value <span class="nt">--secret-id</span> myapp/production/secrets <span class="nt">--query</span> SecretString <span class="nt">--output</span> text<span class="si">)</span><span class="s2">"</span><span class="si">)</span> </code></pre> </div> <p>Each line fetches the full JSON and extracts one key. Kamal evaluates each line in its own subshell so there are no shared variables between lines. This works.</p> <p>You can also use <code>jq</code> if you prefer:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">DEEPGRAM_API_KEY</span><span class="o">=</span><span class="si">$(</span>aws secretsmanager get-secret-value <span class="nt">--secret-id</span> myapp/production/secrets <span class="nt">--query</span> SecretString <span class="nt">--output</span> text | jq <span class="nt">-r</span> <span class="s1">'.DEEPGRAM_API_KEY'</span><span class="si">)</span> </code></pre> </div> <h2> Step 6: Deploy </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kamal deploy </code></pre> </div> <p>Kamal fetches secrets from AWS during deploy and injects them into your container. No plaintext file ever touches the server.</p> <h2> Production and staging </h2> <p>I use a different AWS secret per environment. Both pull from AWS no plaintext anywhere.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># .kamal/secrets (used by kamal deploy)</span> <span class="nv">DEEPGRAM_API_KEY</span><span class="o">=</span><span class="si">$(</span>python3 <span class="nt">-c</span> <span class="s2">"import json,sys; print(json.loads(sys.argv[1])['DEEPGRAM_API_KEY'])"</span> <span class="s2">"</span><span class="si">$(</span>aws secretsmanager get-secret-value <span class="nt">--secret-id</span> myapp/production/secrets <span class="nt">--query</span> SecretString <span class="nt">--output</span> text<span class="si">)</span><span class="s2">"</span><span class="si">)</span> <span class="nv">KAMAL_REGISTRY_PASSWORD</span><span class="o">=</span><span class="si">$(</span>python3 <span class="nt">-c</span> <span class="s2">"import json,sys; print(json.loads(sys.argv[1])['KAMAL_REGISTRY_PASSWORD'])"</span> <span class="s2">"</span><span class="si">$(</span>aws secretsmanager get-secret-value <span class="nt">--secret-id</span> myapp/production/secrets <span class="nt">--query</span> SecretString <span class="nt">--output</span> text<span class="si">)</span><span class="s2">"</span><span class="si">)</span> <span class="c"># .kamal/secrets.staging (used by kamal deploy -d staging)</span> <span class="nv">DEEPGRAM_API_KEY</span><span class="o">=</span><span class="si">$(</span>python3 <span class="nt">-c</span> <span class="s2">"import json,sys; print(json.loads(sys.argv[1])['DEEPGRAM_API_KEY'])"</span> <span class="s2">"</span><span class="si">$(</span>aws secretsmanager get-secret-value <span class="nt">--secret-id</span> myapp/staging/secrets <span class="nt">--query</span> SecretString <span class="nt">--output</span> text<span class="si">)</span><span class="s2">"</span><span class="si">)</span> <span class="nv">KAMAL_REGISTRY_PASSWORD</span><span class="o">=</span><span class="si">$(</span>python3 <span class="nt">-c</span> <span class="s2">"import json,sys; print(json.loads(sys.argv[1])['KAMAL_REGISTRY_PASSWORD'])"</span> <span class="s2">"</span><span class="si">$(</span>aws secretsmanager get-secret-value <span class="nt">--secret-id</span> myapp/staging/secrets <span class="nt">--query</span> SecretString <span class="nt">--output</span> text<span class="si">)</span><span class="s2">"</span><span class="si">)</span> </code></pre> </div> <p>Only the secret name changes between files. <code>myapp/production/secrets</code> for production, <code>myapp/staging/secrets</code> for staging. Run <code>kamal deploy -d staging</code> and Kamal reads from the staging file.</p> <p>Both secrets live in AWS. No staging credentials in plaintext either. This matters for SOC 2 because auditors check every environment.</p> <h2> Done </h2> <p>No more secrets in plaintext. SOC 2 and GDPR requirements met. Hetzner bill stays under 5 euro a month.</p> <p>Big thanks to the <a href="https://aws.amazon.com/secrets-manager/" rel="noopener noreferrer">AWS docs team</a>, the <a href="https://kamal-deploy.org/docs/commands/secrets/" rel="noopener noreferrer">Kamal maintainers</a>, and <a href="https://hetzner.cloud/" rel="noopener noreferrer">Hetzner</a> for keeping hosting affordable. Hope this saves you the same headaches I ran into. Now back to building.</p> devops aws docker cicd Derrick Amenuve Sat, 23 May 2026 11:48:51 +0000 https://dev.to/godsloveady/storing-kamal-secrets-in-aws-secrets-manager-and-deploying-to-a-cheap-hetzner-vps-2262 https://dev.to/godsloveady/storing-kamal-secrets-in-aws-secrets-manager-and-deploying-to-a-cheap-hetzner-vps-2262 <p>I ran into a problem with Kamal. My <code>.kamal/secrets</code> file was full of API keys sitting in plaintext on my laptop. Anyone with access could read them all.</p> <p>TLDR; Use <a href="https://kamal-deploy.org/docs/commands/secrets/" rel="noopener noreferrer">Kamal</a> with <a href="https://aws.amazon.com/secrets-manager/" rel="noopener noreferrer">AWS Secrets Manager</a> and deploy to a <a href="https://hetzner.cloud/" rel="noopener noreferrer">Hetzner</a> VPS. No plaintext secrets, cheap hosting, compliance happy.</p> <p><strong>The problem</strong></p> <p>Kamal is great for deploying apps. But by default secrets are in a plaintext file. For SOC 2 and GDPR that does not work. You need a managed store. I went with AWS Secrets Manager.</p> <p>But then I hit another issue. The <code>kamal secrets fetch --adapter aws_secrets_manager</code> command with <code>--from</code> expects each key to be its own AWS secret. If you store everything as one JSON blob (like I did), you get:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>ERROR (RuntimeError): myapp/production/secrets//DEEPGRAM_API_KEY: Secrets Manager can't find the specified secret. </code></pre> </div> <h2> Step 1: Hetzner VPS </h2> <p><a href="https://hetzner.cloud/" rel="noopener noreferrer">Hetzner</a> CAX series starts at around 4 euro a month. I use the CX22 with 2 vCPUs and 4GB RAM. Enough for production.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># On your Hetzner server</span> apt update <span class="o">&amp;&amp;</span> apt <span class="nb">install</span> <span class="nt">-y</span> docker.io <span class="c"># Copy your SSH key so Kamal can connect</span> ssh-copy-id root@your-server-ip </code></pre> </div> <p>Your <code>config/deploy.yml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">servers</span><span class="pi">:</span> <span class="na">web</span><span class="pi">:</span> <span class="na">hosts</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">runtime.yourdomain.com</span> <span class="na">proxy</span><span class="pi">:</span> <span class="na">ssl</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">hosts</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">runtime.yourdomain.com</span> <span class="na">healthcheck</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/health/ready</span> <span class="na">registry</span><span class="pi">:</span> <span class="na">server</span><span class="pi">:</span> <span class="s">docker.io</span> <span class="na">username</span><span class="pi">:</span> <span class="s">your-docker-user</span> <span class="na">password</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">KAMAL_REGISTRY_PASSWORD</span> </code></pre> </div> <p>You need a <a href="https://hub.docker.com/" rel="noopener noreferrer">Docker Hub</a> account and a personal access token for <code>KAMAL_REGISTRY_PASSWORD</code>.</p> <h2> Step 2: Create the secret in AWS </h2> <p>In the <a href="https://aws.amazon.com/secrets-manager/" rel="noopener noreferrer">AWS Secrets Manager</a> Console:</p> <ol> <li>Go to Secrets Manager &gt; Store a new secret</li> <li>Select "Other type of secret"</li> <li>Switch to plaintext tab and paste your JSON </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"DEEPGRAM_API_KEY"</span><span class="p">:</span><span class="w"> </span><span class="s2">"your_deepgram_key"</span><span class="p">,</span><span class="w"> </span><span class="nl">"ASSEMBLY_AI_API_KEY"</span><span class="p">:</span><span class="w"> </span><span class="s2">"your_assemblyai_key"</span><span class="p">,</span><span class="w"> </span><span class="nl">"REDIS_URL"</span><span class="p">:</span><span class="w"> </span><span class="s2">"redis://:password@your-redis:6379"</span><span class="p">,</span><span class="w"> </span><span class="nl">"KAMAL_REGISTRY_PASSWORD"</span><span class="p">:</span><span class="w"> </span><span class="s2">"your_docker_token"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <ol> <li>Name it <code>myapp/production/secrets</code> </li> <li>Click Store</li> </ol> <p>Pick a region close to your server. If your Hetzner box is in Germany, use <code>eu-central-1</code> (Frankfurt). Keeps latency low and GDPR happy.</p> <h2> Step 3: IAM user for your laptop </h2> <p>Your laptop needs permission to read the secret during deploy.</p> <ol> <li>Go to IAM &gt; Users &gt; Create user</li> <li>Name it <code>kamal-deploy</code> </li> <li>Uncheck console access (CLI only)</li> <li>Create a group called <code>secrets-manager</code> with the SecretsManagerReadWrite policy</li> <li>Add an inline policy for batch reading: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"secretsmanager:GetSecretValue"</span><span class="p">,</span><span class="w"> </span><span class="s2">"secretsmanager:DescribeSecret"</span><span class="p">,</span><span class="w"> </span><span class="s2">"secretsmanager:BatchGetSecretValue"</span><span class="p">,</span><span class="w"> </span><span class="s2">"secretsmanager:ListSecrets"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <ol> <li>Add your user to the group</li> </ol> <p>IAM policies can take a minute to propagate. If it fails at first, wait 30 seconds and try again.</p> <h2> Step 4: Configure AWS CLI </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws configure <span class="c"># AWS Access Key ID: paste from IAM user</span> <span class="c"># AWS Secret Access Key: paste</span> <span class="c"># Default region name: eu-central-1</span> <span class="c"># Default output format: json</span> </code></pre> </div> <p>Test it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws secretsmanager get-secret-value <span class="nt">--secret-id</span> myapp/production/secrets <span class="nt">--query</span> SecretString <span class="nt">--output</span> text | <span class="nb">head</span> <span class="nt">-c</span> 50 </code></pre> </div> <p>You should see the start of your JSON.</p> <h2> Step 5: Format your .kamal/secrets file </h2> <p>This is where I got stuck. The <code>--from</code> flag wants one AWS secret per key. Having 20 separate secrets is annoying. Check the <a href="https://kamal-deploy.org/docs/commands/secrets/" rel="noopener noreferrer">Kamal secrets docs</a> for more on this.</p> <p>Instead I use the AWS CLI with Python extraction. Each line is self contained:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># AWS Secrets Manager: myapp/production/secrets (eu-central-1)</span> <span class="nv">DEEPGRAM_API_KEY</span><span class="o">=</span><span class="si">$(</span>python3 <span class="nt">-c</span> <span class="s2">"import json,sys; print(json.loads(sys.argv[1])['DEEPGRAM_API_KEY'])"</span> <span class="s2">"</span><span class="si">$(</span>aws secretsmanager get-secret-value <span class="nt">--secret-id</span> myapp/production/secrets <span class="nt">--query</span> SecretString <span class="nt">--output</span> text<span class="si">)</span><span class="s2">"</span><span class="si">)</span> <span class="nv">ASSEMBLY_AI_API_KEY</span><span class="o">=</span><span class="si">$(</span>python3 <span class="nt">-c</span> <span class="s2">"import json,sys; print(json.loads(sys.argv[1])['ASSEMBLY_AI_API_KEY'])"</span> <span class="s2">"</span><span class="si">$(</span>aws secretsmanager get-secret-value <span class="nt">--secret-id</span> myapp/production/secrets <span class="nt">--query</span> SecretString <span class="nt">--output</span> text<span class="si">)</span><span class="s2">"</span><span class="si">)</span> <span class="nv">REDIS_URL</span><span class="o">=</span><span class="si">$(</span>python3 <span class="nt">-c</span> <span class="s2">"import json,sys; print(json.loads(sys.argv[1])['REDIS_URL'])"</span> <span class="s2">"</span><span class="si">$(</span>aws secretsmanager get-secret-value <span class="nt">--secret-id</span> myapp/production/secrets <span class="nt">--query</span> SecretString <span class="nt">--output</span> text<span class="si">)</span><span class="s2">"</span><span class="si">)</span> <span class="nv">KAMAL_REGISTRY_PASSWORD</span><span class="o">=</span><span class="si">$(</span>python3 <span class="nt">-c</span> <span class="s2">"import json,sys; print(json.loads(sys.argv[1])['KAMAL_REGISTRY_PASSWORD'])"</span> <span class="s2">"</span><span class="si">$(</span>aws secretsmanager get-secret-value <span class="nt">--secret-id</span> myapp/production/secrets <span class="nt">--query</span> SecretString <span class="nt">--output</span> text<span class="si">)</span><span class="s2">"</span><span class="si">)</span> </code></pre> </div> <p>Each line fetches the full JSON and extracts one key. Kamal evaluates each line in its own subshell so there are no shared variables between lines. This works.</p> <p>You can also use <code>jq</code> if you prefer:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">DEEPGRAM_API_KEY</span><span class="o">=</span><span class="si">$(</span>aws secretsmanager get-secret-value <span class="nt">--secret-id</span> myapp/production/secrets <span class="nt">--query</span> SecretString <span class="nt">--output</span> text | jq <span class="nt">-r</span> <span class="s1">'.DEEPGRAM_API_KEY'</span><span class="si">)</span> </code></pre> </div> <h2> Step 6: Deploy </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kamal deploy </code></pre> </div> <p>Kamal fetches secrets from AWS during deploy and injects them into your container. No plaintext file ever touches the server.</p> <h2> Production and staging </h2> <p>I use a different AWS secret per environment. Both pull from AWS no plaintext anywhere.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># .kamal/secrets (used by kamal deploy)</span> <span class="nv">DEEPGRAM_API_KEY</span><span class="o">=</span><span class="si">$(</span>python3 <span class="nt">-c</span> <span class="s2">"import json,sys; print(json.loads(sys.argv[1])['DEEPGRAM_API_KEY'])"</span> <span class="s2">"</span><span class="si">$(</span>aws secretsmanager get-secret-value <span class="nt">--secret-id</span> myapp/production/secrets <span class="nt">--query</span> SecretString <span class="nt">--output</span> text<span class="si">)</span><span class="s2">"</span><span class="si">)</span> <span class="nv">KAMAL_REGISTRY_PASSWORD</span><span class="o">=</span><span class="si">$(</span>python3 <span class="nt">-c</span> <span class="s2">"import json,sys; print(json.loads(sys.argv[1])['KAMAL_REGISTRY_PASSWORD'])"</span> <span class="s2">"</span><span class="si">$(</span>aws secretsmanager get-secret-value <span class="nt">--secret-id</span> myapp/production/secrets <span class="nt">--query</span> SecretString <span class="nt">--output</span> text<span class="si">)</span><span class="s2">"</span><span class="si">)</span> <span class="c"># .kamal/secrets.staging (used by kamal deploy -d staging)</span> <span class="nv">DEEPGRAM_API_KEY</span><span class="o">=</span><span class="si">$(</span>python3 <span class="nt">-c</span> <span class="s2">"import json,sys; print(json.loads(sys.argv[1])['DEEPGRAM_API_KEY'])"</span> <span class="s2">"</span><span class="si">$(</span>aws secretsmanager get-secret-value <span class="nt">--secret-id</span> myapp/staging/secrets <span class="nt">--query</span> SecretString <span class="nt">--output</span> text<span class="si">)</span><span class="s2">"</span><span class="si">)</span> <span class="nv">KAMAL_REGISTRY_PASSWORD</span><span class="o">=</span><span class="si">$(</span>python3 <span class="nt">-c</span> <span class="s2">"import json,sys; print(json.loads(sys.argv[1])['KAMAL_REGISTRY_PASSWORD'])"</span> <span class="s2">"</span><span class="si">$(</span>aws secretsmanager get-secret-value <span class="nt">--secret-id</span> myapp/staging/secrets <span class="nt">--query</span> SecretString <span class="nt">--output</span> text<span class="si">)</span><span class="s2">"</span><span class="si">)</span> </code></pre> </div> <p>Only the secret name changes between files. <code>myapp/production/secrets</code> for production, <code>myapp/staging/secrets</code> for staging. Run <code>kamal deploy -d staging</code> and Kamal reads from the staging file.</p> <p>Both secrets live in AWS. No staging credentials in plaintext either. This matters for SOC 2 because auditors check every environment.</p> <h2> Done </h2> <p>No more secrets in plaintext. SOC 2 and GDPR requirements met. Hetzner bill stays under 5 euro a month.</p> <p>Big thanks to the <a href="https://aws.amazon.com/secrets-manager/" rel="noopener noreferrer">AWS docs team</a>, the <a href="https://kamal-deploy.org/docs/commands/secrets/" rel="noopener noreferrer">Kamal maintainers</a>, and <a href="https://hetzner.cloud/" rel="noopener noreferrer">Hetzner</a> for keeping hosting affordable. Hope this saves you the same headaches I ran into. Now back to building.</p> rails kamal devops deployment Derrick Amenuve Tue, 15 Aug 2023 19:16:49 +0000 https://dev.to/godsloveady/resolving-activestorage-url-generation-between-rails-and-avo-admin-gem-21ib https://dev.to/godsloveady/resolving-activestorage-url-generation-between-rails-and-avo-admin-gem-21ib <p>I've been working on my project <a href="https://modatongue.com" rel="noopener noreferrer">Modatongue</a> and hit a roadblock with Active Storage. Images were displaying fine in lessons or my main rails application, but not in my Avo admin! 😭</p> <p>TLDR;<br> Just change line 3 of your <strong>app/views/active_storage/_blobs.html.erb</strong> to use main_app.url_ </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6q2z1wuocdognzljfxzc.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6q2z1wuocdognzljfxzc.png" alt=" " width="800" height="211"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fguewcri78y2r8lrw81c5.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fguewcri78y2r8lrw81c5.png" alt=" " width="799" height="211"></a></p> <p><strong>My Battle with Active Storage (and How I Won!)</strong><br> Like I mentioned earlier the Images were displaying fine in my lessons or inside the main rails app, but not in my <a href="https://avohq.io/" rel="noopener noreferrer">Avo</a> admin or when I logged into my admin interface! 😭<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>&lt;figure class="attachment attachment--&lt;%= blob.representable? ? "preview" : "file" %&gt; attachment--&lt;%= blob.filename.extension %&gt;"&gt; &lt;% if blob.representable? %&gt; &lt;%= image_tag blob.representation(resize_to_limit: local_assigns[:in_gallery] ? [ 800, 600 ] : [ 1024, 768 ]) %&gt; &lt;% end %&gt; &lt;figcaption class="attachment__caption"&gt; &lt;% if caption = blob.try(:caption) %&gt; &lt;%= caption %&gt; &lt;% else %&gt; &lt;span class="attachment__name"&gt;&lt;%= blob.filename %&gt;&lt;/span&gt; &lt;span class="attachment__size"&gt;&lt;%= number_to_human_size blob.byte_size %&gt;&lt;/span&gt; &lt;% end %&gt; &lt;/figcaption&gt; &lt;/figure&gt; </code></pre> </div> <p>The above code for my blob partial(which is likely going to be your default when you install active storage). This works in Rails views, but not Avo which expects blob objects to respond to to_model. Avo admin cried undefined method 'to_model'. Ugh, why?! 🤯</p> <p>After a lot of trial and error, I realized Avo uses different helpers. So I tried bypassing them directly with:</p> <p><code>&lt;%= image_tag main_app.url_for(blob) %&gt;</code></p> <p>so now my blob partial will look like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>&lt;figure class="attachment attachment--&lt;%= blob.representable? ? "preview" : "file" %&gt; attachment--&lt;%= blob.filename.extension %&gt;"&gt; &lt;% if blob.representable? %&gt; &lt;%= image_tag main_app.url_for(blob.representation(resize_to_limit: local_assigns[:in_gallery] ? [ 800, 600 ] : [ 1024, 768 ])) %&gt; &lt;% end %&gt; &lt;figcaption class="attachment__caption"&gt; &lt;% if caption = blob.try(:caption) %&gt; &lt;%= caption %&gt; &lt;% else %&gt; &lt;span class="attachment__name"&gt;&lt;%= blob.filename %&gt;&lt;/span&gt; &lt;span class="attachment__size"&gt;&lt;%= number_to_human_size blob.byte_size %&gt;&lt;/span&gt; &lt;% end %&gt; &lt;/figcaption&gt; &lt;/figure&gt; </code></pre> </div> <p><strong>The Solution</strong><br> The key was to bypass both helpers and generate the URL directly from Rails.</p> <p>This works because main_app references the root Rails application context:</p> <p><code>&lt;%= image_tag main_app.url_for(blob.representation(resize_to_limit: local_assigns[:in_gallery] ? [ 800, 600 ] : [ 1024, 768 ])) %&gt;</code></p> <p>Now url_for generates the URL correctly for any ActiveStorage attachment, working identically in both Rails and Avo views.<br> By leveraging the core Rails URL generation, a single rendering approach can work consistently across any frameworks layered on top of Rails. This keeps view code DRY and avoids compatibility issues.</p> <p><strong>Eureka! It worked 🎉</strong><br> Big props to the chatbots who helped clue me in - ChatGPT, Poe and especially Bard who provided the final hint. What a rollercoaster ride but so satisfying to crack it myself! 🙌</p> <p>I hope this helps you and feel free to say hi on <a href="https://twitter.com/GodsloveADY" rel="noopener noreferrer">Twitter</a>! Now back to building Modatongue.</p> rails activestorage avo gem Derrick Amenuve Wed, 12 May 2021 09:32:32 +0000 https://dev.to/godsloveady/there-is-not-only-one-right-way-4dg6 https://dev.to/godsloveady/there-is-not-only-one-right-way-4dg6 <p>Many times when we want to work on design projects we normally think of following the best practices UX design process. This is a worrying subject for almost every designer especially beginners, we tend to ask ourselves if the flow or pattern we use is the best practice when it comes to UX design. </p> <p>I have come to understand that there isn't a one-way process when it comes to designing websites, web apps or mobile apps. Your process will highly depend on the type of product you’re designing. Every project requires different approaches; the approach to designing a website for an alumni network of an institution or your alma mater differs from the way we design a cryptocurrency app(it's the new thing being talked about😀), for example.</p> <p>I think what we should really focus on as designers are to apply the concept of <a href="https://www.interaction-design.org/literature/article/5-stages-in-the-design-thinking-process" rel="noopener noreferrer">Design Thinking</a> and the principles of <a href="https://www.toptal.com/designers/ui/principles-of-design" rel="noopener noreferrer">principles of design</a>. The design thinking process has five stages in it: empathize, define, ideate, prototype, and test<br> This should be great for any kind of project ✌🏽.</p> <p>My next post will be a brief on the process I used when designing a website for my Alumni network. Stay tuned, mia ga do go🤝 (meaning we will meet again, translated from Ewe- a Ghanaian language)</p> webdev design