Login/Register
Rails: How to fix "Missing secret_key_base for 'production' environment"
Asked Answered
Solved ruby-on-railsruby-on-rails-5ruby-on-rails-5.2
M

8

54

I simply can't get past the message:

Missing `secret_key_base` for 'production' environment, set this string with `rails credentials:edit` (ArgumentError)

I have Rails 5.2.0, and ran

EDITOR=vim rails credentials:edit

and inside:

production:
   secret_key_base: xxxxxxxxxxxxxxxxxxxxxxx

Save and, in the terminal:

RAILS_ENV=production rails c

Am I missing something? I've restarted the server and got the same issue, but have no issue in development mode.

Mensal answered 22/7, 2018 at 16:3 Comment(0)
S
45

Rails v4/5

Keep default the secrets.yml file

# config/secrets.yml
production:
  secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>
  aws_secret: abcde
  some_password: abcdex

development:
  secret_key_base: static_secret_key
  aws_secret: abcde

test:
  secret_key_base: static_test_secret_key


#not_indented: key for all env in once
secret_key_base: global_key_for_all_env

RAILS_ENV=production SECRET_KEY_BASE=production_test_key rails c

Rails v5.2.0 add to production env below, check this LINK

config.require_master_key = true    #config/environments/production.rb

Rails v7 https://blog.assistancy.be/blog/how-to-store-credentials-in-rails-7/

Sheelagh answered 22/7, 2018 at 16:52 Comment(10)
Ensure that this secret file is inside config directory of your app.Lucrece
This solution is the old way of doing things, Rails 5.2 has a better solution ("encrypted credentials").Coopersmith
The file name should be secrets.yml. By the way, this solution is not working for me.Rehabilitate
@Rehabilitate make sure .yml file indents, This method not deprecated yet. Im running 3-5 projects in production Rails <5.1 versions.Sheelagh
Alright, nevermind. I find another solution for this problem by adding config.secret_key_base = 'YourSecretKeyHere' in my production.rb located at config/environments folder. The 'YourSecretKeyHere' can be generated by run bundle exec rake secret command.Rehabilitate
@Rehabilitate this was the ONLY thing that would help me. I tried every other solution on this page. This problem is completely ridiculous. Rails needs some kind of official solution.Couple
Agreed. By the way, I'm no longer used secrets.yml in my project. Just migrate to use credentials.yml.Rehabilitate
How is this an answer?Pivoting
@AndrewKoster what's yr problem ? This question had been asked 2018 based on Rails4/5 versions.Sheelagh
There are correct answers here, also from 2018. Rails 5 came out in 2016. Your answer doesn't even specify that it's for Rails 4, which is very misleading.Pivoting
G
37

Rails 5.2.0 requires an extra stage for the production environment:

config.require_master_key = true    # in config/environments/production.rb

Without it, Rails still falls back to the legacy secret.yml mechanism (for now).

Engine Yard's Christopher Rigor has written a concise post on it. The relevant piece:

Reading the Credentials

If you want to use the credentials in the production environment, add the following to config/environments/production.rb

config.require_master_key = true

A good read to also see up and down sides.

Note: As @TomDogg found out, Rails 5.2.1 seems again different, so this answer may only apply to 5.2.0.

Gimcrackery answered 25/7, 2018 at 15:20 Comment(8)
No, config.require_master_key = true is not necessary (maybe it was necessary earlier). What is required now is config.read_encrypted_secrets = trueCoopersmith
@Coopersmith Is your comment related explictly to Rails 5.2 (the scope of the question) ? This answer is framed for 5.2, and backed by experience and the post from Rigor. It may not apply to other Rails version.Gimcrackery
I have Rails 5.2.1 running in front of me. It does not have config.require_master_key anywhere, meaning my initial comment remains valid. (And the "Second:" part in my answer is crucial to make this work, you may try it out.)Coopersmith
Sorry for shortcut in the above comment. The question is about 5.2.0. I am using that version too. Good to know 5.2.1 is still different. Adding a tag to the question.Gimcrackery
That's odd since Rails 5.2.2 definitely has #config.require_master_key = true in config/environments/production.rb.Descartes
The link is broken and Engine Yard's server isn't suggesting similar links. It appears to be on Wayback Machine but is taking a long time to retrieve it.Ceramics
@theTinMan I have just tried now, and the link worked fine. Any temporary issue between January and now, perhaps?Gimcrackery
I'm using Rails 6 and this is still necessary. Only correct answer here.Pivoting
C
7

config/credentials.yml.enc:

development:
  some_username: XXXXXXXXX
  some_password: YYYYYYYYY

test:
  some_username: XXXXXXXXX
  some_password: YYYYYYYYY

production:
  some_username: XXXXXXXXX
  some_password: YYYYYYYYY

secret_key_base: ZZZZZZZZZ
# `secret_key_base:` must NOT be indented !
# It must be put at the very start of a new line.
# There is also no need for it in development or test environment,
#   since there are no attacks to be expected.

Also make sure that you respect all YAML indention rules (i.e. 2 spaces only) as failing to do so my make loading of this file fail silently.

Coopersmith answered 10/11, 2018 at 16:19 Comment(2)
@Sheelagh - Done, hombre.Coopersmith
@Sheelagh Well, this is simply following how Rails now handles credentials (with encryption). Of course you're free to think that the old way is better for some reason. If you're not sure, just read the relevant blog posts that explain the rationale behind it.Coopersmith
B
6

Secret_key_base isn't properly setting. It's a known issue not getting enough attention: https://github.com/rails/rails/issues/32947

Generate the keys with:

EDITOR=vim rails credentials:edit

Record the key. Save in config/master.key.

SECRET_KEY_BASE=`cat config/master.key` bin/rails assets:precompile

This is the solution I came to. I really don't like how I've been forced to put it though an environment variable. If someone has more information to bring to my attention on how master.key and such work, please do comment.

Boleyn answered 20/4, 2020 at 5:57 Comment(2)
Your answer is wrong. It equals SECRET_KEY_BASE=dummy . "dummy" works very well in the Dockerfile with secrets.yml in the old fashion. Environment has real SECRET_KEY_BASE not accessible docker build time. Thx for direction.Triclinic
Edit: I'll look back at this later.Boleyn
D
5

There are no production: development: and test: environment tags in the credentials file. Further information in this DHH's post: https://github.com/rails/rails/pull/30067

So write directly

secret_key_base: xxxxxxxxxxxxxxxxxxxxxxx

Please don't confuse master key with the secret key base. The master key is used to open the credentials encrypted file.

Switching back to the previous secrets system should not be the solution, nor the accepted answer.

Dasha answered 24/8, 2018 at 15:38 Comment(2)
Yes, you can have a hierarchical structure in the credentials file, using keys such as for example production:, development: and test:.Coopersmith
I didn't say that you cannot have hierarchical structure, of course you can, read the whole post. With secrets if you have a key X under production: it accessed directly by Rails.application.secrets.X Using credentials it should be something like Rails.application.credentials.dig(:production, :X). In 'secrets' the environment is automatically selected. If you use credentials is not advisable to use this categories, just use a different credentials file for each environment and forget about production, development or test. This case if use is similar to the .env file.Dasha
S
4

I ran into this problem when deploying my rails app to dokku using a Dockerfile. My solution:

the file config/secrets.yml references an environment variable:

production:
  secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>

I need to set this variable using the dokku command line (either directly on the server, or using the dokku-cli gem on my development machine). Using dokku-cli I can do this remotely like so:

dokku config:set SECRET_KEY_BASE=blalbalblablahblablah

or if I log into the server and run the dokku command there it's

dokku config:set myrailsapplication SECRET_KEY_BASE=blalbalblablahblablah
Schinica answered 28/8, 2020 at 11:4 Comment(2)
It should be dokku config:set <appname> SECRET_KEY_BASE=blalbalblablahblablahStationery
ah, I use dokku-cli from my development machine, then I don't have to specify the application. it's read from the git remote dokku. I've added more details on thisSchinica
F
3

Avoid putting secret_key_base under environment tag. Put it above it.

This is wrong: 

production:
   secret_key_base: xxxxxxxxxxxxxxxxxxxxxxx
   some_other_key: xxx

Try this instead: 

secret_key_base: xxxxxxxxxxxxxxxxxxxxxxx
production:
   some_other_key: xxx
Furriery answered 4/5, 2020 at 12:13 Comment(0)
C
2

I experienced this same issue when working on a Rails 5.2 application in production.

I already had other things set up. The problem for me was not that the secret_key_base wasn't set properly, it was rather because of the Passing the environment's name as a regular argument like below is deprecated

rails c RAILS_ENV=production

If you look at your error log generated closely from its top you will see this:

DEPRECATION WARNING: Passing the environment's name as a regular argument is deprecated and will be removed in the next Rails version. Please, use the -e option instead. (called from at bin/rails:9)

To run the rails console in a different environment, use the -e option like this:

rails console -e production

Note: Setting the secret_key_base in the secrets.yml file is not safe, as it's not a secure way of storing the key, please use the encrypted credential.yml file and the master key to decrypt it.

That's all.

I hope this helps

Clearance answered 8/2, 2020 at 19:41 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.