Setting up GCS, encrypted credentials and ActiveStorage

I’ve spent a while today trying to set up ActiveStorage in a new Rails application properly. The current Rails guides suggest to declare the following service in config/storage.yml file:

  service: GCS
    type: "service_account"
    project_id: ""
    private_key_id: <%= Rails.application.credentials.dig(:gcs, :private_key_id) %>
    private_key: <%= Rails.application.credentials.dig(:gcs, :private_key) %>
    client_email: ""
    client_id: ""
    auth_uri: ""
    token_uri: ""
    auth_provider_x509_cert_url: ""
    client_x509_cert_url: ""
  project: ""
  bucket: ""

It looks pretty straightforward, but there’s a good chance that you’ll see an OpenSSL::PKey::RSAError (Neither PUB key nor PRIV key: nested asn1 error), or a YAML parser error when you try to launch the app. The main issue is the private_key line, that tries to inject a multiline RSA key into the storage.yml. The easiest workaround that I’ve found so far looks like this:

    private_key: "<%= Rails.application.credentials.dig(:gcs, :private_key).lines.join("\\n") %>"

I haven’t found this issue mentioned anywhere in the docs, so I think this little trick may be handy until it’s is solved officialy in a more elegant way.


I'm Kuba Kuźma — Ruby on Rails and JavaScript Developer

Learn more