Why are my rails credentials for digital ocean spaces not being found after deploying?

Question

I'm having an issue deploying my rails 6 app to Digital Ocean using spaces. After the deploy, the webserver fails. In the Puma logs I find:

Unable to load application: Aws::Sigv4::Errors::MissingCredentialsError: missing credentials, provide credentials with one of the following options:
Feb 05 03:33:25:   - :access_key_id and :secret_access_key
Feb 05 03:33:25:   - :credentials
Feb 05 03:33:25:   - :credentials_provider

Here is my relevant rails setup:

gem file

gem 'aws-sdk-s3'

config/storage.yml

digitalocean_spaces:
  service: S3
  access_key_id: <%= Rails.application.credentials.dig(:digitalocean_spaces, :access_key_id) %>
  secret_access_key: <%= Rails.application.credentials.dig(:digitalocean_spaces, :secret_access_key) %>
  region: nyc3
  endpoint: 'https://nyc3.digitaloceanspaces.com'
  bucket: foobar-bucket

environments/production.rb

config.active_storage.service = :digitalocean_spaces

credentials.yml.enc

digitalocean_spaces:
  access_key_id: foobar
  secret_access_key: secretfoobar

Answer 1

When you generated the credentials file by executing EDITOR="nano -w" rails credentials:edit --environment production, after saving something like this was printed to the console:

Adding config/credentials/production.key to store the encryption key: c1463bd04a5521e81cbe2a496a91af52

Save this in a password manager your team can access.

If you lose the key, no one, including you, can access anything encrypted with it.

      create  config/credentials/production.key

Ignoring config/credentials/production.key so it won't end up in Git history:

      append  .gitignore

The server must know the key in order to decrypt the credentials.

I was using DO Apps and had to go to my app -> Settings -> App-Level Environment Variables -> Edit and add RAILS_MASTER_KEY which contains the generated key