Reputation: 2848
How to set RAILS_PRODUCTION_KEY config var on a Rails 6 app on Heroku
I created a new Rails 6 app and since it supports Multi Environment Credentials I'm trying to use the RAILS_PRODUCTION_KEY config var and delete the default RAILS_MASTER_KEY
heroku config:unset RAILS_MASTER_KEY
heroku config:set RAILS_PRODUCTION_KEY=`cat config/credentials/production.key`
This doesn't work however, and I was able to get it to work after setting RAILS_MASTER_KEY to the production key
heroku config:unset RAILS_PRODUCTION_KEY
heroku config:set RAILS_MASTER_KEY=`cat config/credentials/production.key`
How do I get Heroku to recognize RAILS_PRODUCTION_KEY in a Rails 6 app?
Upvotes: 12
Views: 2395
Answers (1)
Reputation: 608
I struggled with figuring out this issue, too. (It's not a Heroku-specific issue.)
Bottom line: an environment variable named RAILS_PRODUCTION_KEY (or any other Rails environment-flavored variable name) is not a thing–Rails doesn't pay attention to it.
From the (weak, IMO) Rails documentation on the Rails 6 credentials feature, I had wrongly assumed that the production key (either in the RAILS_PRODUCTION_KEY env variable or config/credentials/production.key) would decrypt config/credentials/production.yml.enc, the master key (either in the RAILS_MASTER_KEY env variable or config/master.key) would decrypt config/credentials.yml.enc, and that a value for a given secrets key in config/credentials/production.yml.enc would override the value for that key in config/credentials.yml.enc. This is not the case.
This is how it actually works:
- Rails 6 uses a single key to decrypt a single encrypted secrets file.
- The default location of the decryption key is
config/master.keyand the default location of the secrets file isconfig/credentials.yml.enc. - If an environment variable of
RAILS_MASTER_KEYis defined, Rails will read the decryption key from the environment variable, not fromconfig/master.key. - When running in a given Rails environment (
production/development/etc.), if a corresponding secrets file exists inconfig/credentials(e.g.,config/credentials/production.yml.enc), then Rails will use that secrets file only, and it will use the corresponding decryption key (e.g.,config/credentials/production.key) only to decrypt it. - If an environment variable of
RAILS_MASTER_KEYis defined, Rails will read the decryption key from the environment variable, not from the decryption key file. NOTE: regardless of the Rails environment, the environment variable that overrides the decryption key file is alwaysRAILS_MASTER_KEY.
Upvotes: 31
Related Questions
- ruby on rails: heroku: Missing `secret_key_base` for 'production' environment
- Rails Production - How to set Secret Key Base?
- Creating environment variables with Rails 6 and Heroku
- Rails encrypted credentials with Heroku staging environment (using production setting)
- Rails configuration secret key base returning nil
- SECRET_KEY_BASE config vars set too late - Can't start Rails app on Heroku
- "Missing `secret_key_base` for 'production' environment" error on Heroku
- How to set RAILS_ENV to staging in a heroku review app?
- Unable to set secret_key_base for the production environment in Ruby on Rails 4.1.4 application running on Heroku
- Heroku RACK_ENV remains “production”