Heroku Symbol

OBSOLETE

The functionality was merged and released in Heroku Toolbelt 3.12.1 (patch).

Introduction

Enable symbolic attachment rendering of the config_var endpoint in the heroku config index view only.

Install it with:

heroku plugins:install [email protected]:heroku/heroku-symbol.git

Why

Resource symbols provide a number of improvements to the user experience:

• Allow unambiguous creation of attachments between apps via config:set.

• Obscure sensitive connection strings and secrets when printing to the console.

• Prevent secrets from leaking into bash history as customers use config:set with cut-and-paste from config.

• Show meaningful values to user that help them associate config vars with the resources they own.

• Allow showing meaningful errors to users if they try to create an invalid attachment.

They aren't designed to completely block access to sensitive information and will still provide a mechanism for users to reveal their secrets when necessary.

The prior text was adapted from a writeup by Brandur Leach.

Examples

Before:

$ heroku config -a my-app
=== my-app Config Vars
DATABASE_URL:               postgres://AHH:[email protected]:5592/d8juojj9drtgve
HEROKU_POSTGRESQL_GOLD_URL: postgres://AHH:[email protected]:5592/d8juojj9drtgve

After:

$ heroku config -a my-app
=== my-app Config Vars
DATABASE_URL:               @ref:imagining-nobly-9265:url
HEROKU_POSTGRESQL_GOLD_URL: @ref:imagining-nobly-9265:url

One can suppress heroku-symbol's behavior even after it is installed by setting DISABLE_HEROKU_SYMBOL=1:

$ DISABLE_HEROKU_SYMBOL=1 heroku config -a my-app
=== my-app Config Vars
DATABASE_URL:               postgres://AHH:[email protected]:5592/d8juojj9drtgve
HEROKU_POSTGRESQL_GOLD_URL: postgres://AHH:[email protected]:5592/d8juojj9drtgve

Implementation

What is included is a copy of the original heroku config commmand implementation, with the minor addition of including the symbolic=true parameter:

      vars = if options[:shell]
               api.get_config_vars(app).body
             else
               api.request(
                 :expects  => 200,
                 :method   => :get,
                 :path     => "/apps/#{app}/config_vars",
                 :query    => { "symbolic" => true }
               ).body
             end

Note that the symbol behavior is suppressed should one use the -s a.k.a. --shell:

$ heroku config -s -a my-app
DATABASE_URL=postgres://AHH:[email protected]:5592/d8juojj9drtgve
HEROKU_POSTGRESQL_GOLD_URL=postgres://AHH:[email protected]:5592/d8juojj9drtgve