Rails gotchas #1: credentials

December 31, 2019

To store credentials, Rails offers a command line tool to store credentials

$ rails credentials:edit

So, at some later point, you might want to setup or edit a credentials file for development:

$ rails credentials:edit -e development

And then you want to check the credentials file for production

$ rails credentials:edit -e production

and then think wait... it's empty. So next you exit the editor. If you then happen to restart the production webserver you get a wall of text displayed and at the end you see the error message:

Missing secret_key_base for 'production' environment, set this string with rails credentials:edit (ArgumentError)

The next part of the gotcha is if you actually look into your credential file again as the error message stated:

$ rails credentials:edit

There's your secret_key_base that Rails has set up for you. So what the heck is going on? When you run this command, it will edit your master credentials, they are:

config/master.key

config/credentials.yml

Master credentials vs. production credentials

So, when you execute

$ rails credentials:edit -e production

it will create 2 files:

config/credentials/production.key

config/credentials/production.yml.enc

Important Notes:

  • It will even write those files if you exit your editor without saving!
  • If Rails finds those two files for production in config/credentials/, it will look no further and will not use the master credentials.

My solution

I deleted the 2 files:

$ rm config/credentials/production.key
$ rm config/credentials/production.yml.enc

As alternative you could port over all credentials into the other file; but I had difficulties doing so because I couldn't copy+paste the buffer from vim (using the decryption wrapper) as I couldn't open the other credential files as buffer directly.