Rails: How to fix "Missing secret_key_base for 'production' environment"

Question

I simply can't get past the message:

Missing `secret_key_base` for 'production' environment, set this string with `rails credentials:edit` (ArgumentError)

I have Rails 5.2.0, and ran

EDITOR=vim rails credentials:edit

and inside:

production:
   secret_key_base: xxxxxxxxxxxxxxxxxxxxxxx

Save and, in the terminal:

RAILS_ENV=production rails c

Am I missing something? I've restarted the server and got the same issue, but have no issue in development mode.

7urkm3n · Accepted Answer · 2021-10-20T15:46:07.877

42

Keep default the secrets.yml file

# config/secrets.yml
production:
  secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>
  aws_secret: abcde
  some_password: abcdex

development:
  secret_key_base: static_secret_key
  aws_secret: abcde

test:
  secret_key_base: static_test_secret_key


#not_indented: key for all env in once
secret_key_base: global_key_for_all_env

RAILS_ENV=production SECRET_KEY_BASE=production_test_key rails c

If using Rails 5.2.0, add to production env below, check this LINK

config.require_master_key = true    #config/environments/production.rb

edited Oct 20 '21 at 15:46

answered Jul 22 '18 at 16:52

7urkm3n

6,054
4
29
46

2

Ensure that this secret file is inside `config` directory of your app. – vaibhavatul47 Jul 23 '18 at 03:15
7

This solution is the old way of doing things, Rails 5.2 has a better solution ("encrypted credentials"). – TomDogg Nov 10 '18 at 16:22
1

The file name should be `secrets.yml`. By the way, this solution is not working for me. – zmd94 Nov 27 '18 at 11:16
@zmd94 make sure `.yml` file indents, This method not deprecated yet. Im running 3-5 projects in production `Rails <5.1` versions. – 7urkm3n Nov 27 '18 at 15:44
7

Alright, nevermind. I find another solution for this problem by adding `config.secret_key_base = 'YourSecretKeyHere'` in my `production.rb` located at `config/environments` folder. The 'YourSecretKeyHere' can be generated by run `bundle exec rake secret` command. – zmd94 Nov 28 '18 at 03:53
@zmd94 this was the ONLY thing that would help me. I tried every other solution on this page. This problem is completely ridiculous. Rails needs some kind of official solution. – mystic cola Apr 24 '20 at 05:56
Agreed. By the way, I'm no longer used `secrets.yml` in my project. Just migrate to use `credentials.yml`. – zmd94 Apr 26 '20 at 03:19
How is this an answer? – Andrew Koster May 29 '20 at 18:56
@AndrewKoster what's yr problem ? This question had been asked 2018 based on Rails4/5 versions. – 7urkm3n May 30 '20 at 02:53
1

There are correct answers here, also from 2018. Rails 5 came out in 2016. Your answer doesn't even specify that it's for Rails 4, which is very misleading. – Andrew Koster Jun 01 '20 at 17:34

Eric Platon · Answer 2 · 2018-11-12T13:49:20.433

35

Rails 5.2.0 requires an extra stage for the production environment:

config.require_master_key = true    # in config/environments/production.rb

Without it, Rails still falls back to the legacy secret.yml mechanism (for now).

Engine Yard's Christopher Rigor has written a concise post on it. The relevant piece:

Reading the Credentials

If you want to use the credentials in the production environment, add the following to config/environments/production.rb
config.require_master_key = true

A good read to also see up and down sides.

Note: As @TomDogg found out, Rails 5.2.1 seems again different, so this answer may only apply to 5.2.0.

edited Nov 12 '18 at 13:49

answered Jul 25 '18 at 15:20

Eric Platon

9,819
6
41
48

2

No, `config.require_master_key = true` is not necessary (maybe it was necessary earlier). What is required now is `config.read_encrypted_secrets = true` – TomDogg Nov 10 '18 at 16:25
2

@TomDogg Is your comment related explictly to Rails 5.2 (the scope of the question) ? This answer is framed for 5.2, and backed by experience and the post from Rigor. It may not apply to other Rails version. – Eric Platon Nov 12 '18 at 05:54
I have Rails 5.2.1 running in front of me. It does not have `config.require_master_key` anywhere, meaning my initial comment remains valid. (And the "Second:" part in my answer is crucial to make this work, you may try it out.) – TomDogg Nov 12 '18 at 09:17
Sorry for shortcut in the above comment. The question is about 5.2.0. I am using that version too. Good to know 5.2.1 is still different. Adding a tag to the question. – Eric Platon Nov 12 '18 at 13:47
That's odd since Rails 5.2.2 definitely has `#config.require_master_key = true` in config/environments/production.rb. – TiggerToo Jun 20 '19 at 14:29
The link is broken and Engine Yard's server isn't suggesting similar links. It appears to be [on Wayback Machine](https://web.archive.org/web/20190208100100/https://www.engineyard.com/blog/rails-encrypted-credentials-on-rails-5.2) but is taking a long time to retrieve it. – the Tin Man Jan 22 '20 at 20:39
@theTinMan I have just tried now, and the link worked fine. Any temporary issue between January and now, perhaps? – Eric Platon Mar 14 '20 at 00:46
2

I'm using Rails 6 and this is still necessary. Only correct answer here. – Andrew Koster May 29 '20 at 19:18

TomDogg · Answer 3 · 2018-11-13T21:18:23.073

7

config/credentials.yml.enc:

development:
  some_username: XXXXXXXXX
  some_password: YYYYYYYYY

test:
  some_username: XXXXXXXXX
  some_password: YYYYYYYYY

production:
  some_username: XXXXXXXXX
  some_password: YYYYYYYYY

secret_key_base: ZZZZZZZZZ
# `secret_key_base:` must NOT be indented !
# It must be put at the very start of a new line.
# There is also no need for it in development or test environment,
#   since there are no attacks to be expected.

Also make sure that you respect all YAML indention rules (i.e. 2 spaces only) as failing to do so my make loading of this file fail silently.

edited Nov 13 '18 at 21:18

answered Nov 10 '18 at 16:19

TomDogg

3,803
5
33
60

@7urkm3n - Done, hombre. – TomDogg Nov 13 '18 at 21:12
1

@7urkm3n Well, this is simply following how Rails now handles credentials (with encryption). Of course you're free to think that the old way is better for some reason. If you're not sure, just read the relevant blog posts that explain the rationale behind it. – TomDogg Nov 13 '18 at 22:15

score 5 · Answer 4 · answered Aug 24 '18 at 15:38

5

There are no production: development: and test: environment tags in the credentials file. Further information in this DHH's post: https://github.com/rails/rails/pull/30067

So write directly

secret_key_base: xxxxxxxxxxxxxxxxxxxxxxx

Please don't confuse master key with the secret key base. The master key is used to open the credentials encrypted file.

Switching back to the previous secrets system should not be the solution, nor the accepted answer.

answered Aug 24 '18 at 15:38

LightMan

3,517
31
31

Yes, you **can** have a hierarchical structure in the credentials file, using keys such as for example `production:`, `development:` and `test:`. – TomDogg Nov 10 '18 at 16:20
1

I didn't say that you cannot have hierarchical structure, of course you can, read the whole post. With secrets if you have a key X under production: it accessed directly by Rails.application.secrets.X Using credentials it should be something like Rails.application.credentials.dig(:production, :X). In 'secrets' the environment is automatically selected. If you use credentials is not advisable to use this categories, just use a different credentials file for each environment and forget about production, development or test. This case if use is similar to the .env file. – LightMan Nov 13 '18 at 12:24

score 5 · Answer 5 · answered Apr 20 '20 at 05:57

5

Secret_key_base isn't properly setting. It's a known issue not getting enough attention: https://github.com/rails/rails/issues/32947

Generate the keys with:

EDITOR=vim rails credentials:edit

Record the key. Save in config/master.key.

SECRET_KEY_BASE=`cat config/master.key` bin/rails assets:precompile

This is the solution I came to. I really don't like how I've been forced to put it though an environment variable. If someone has more information to bring to my attention on how master.key and such work, please do comment.

answered Apr 20 '20 at 05:57

RWDJ

734
8
13

Your answer is wrong. It equals SECRET_KEY_BASE=dummy . "dummy" works very well in the Dockerfile with secrets.yml in the old fashion. Environment has real SECRET_KEY_BASE not accessible docker build time. Thx for direction. – Aivils Štoss May 27 '20 at 11:28
Edit: I'll look back at this later. – RWDJ May 27 '20 at 17:47

bjelli · Answer 6 · 2023-04-21T15:28:47.460

4

I ran into this problem when deploying my rails app to dokku using a Dockerfile. My solution:

the file config/secrets.yml references an environment variable:

production:
  secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>

I need to set this variable using the dokku command line (either directly on the server, or using the dokku-cli gem on my development machine). Using dokku-cli I can do this remotely like so:

dokku config:set SECRET_KEY_BASE=blalbalblablahblablah

or if I log into the server and run the dokku command there it's

dokku config:set myrailsapplication SECRET_KEY_BASE=blalbalblablahblablah

edited Apr 21 '23 at 15:28

answered Aug 28 '20 at 11:04

bjelli

9,752
4
35
50

It should be `dokku config:set SECRET_KEY_BASE=blalbalblablahblablah` – MECU Apr 20 '23 at 16:08
1

ah, I use dokku-cli from my development machine, then I don't have to specify the application. it's read from the git remote dokku. I've added more details on this – bjelli Apr 21 '23 at 15:29

score 3 · Answer 7 · answered May 04 '20 at 12:13

Avoid putting secret_key_base under environment tag. Put it above it.

This is wrong:

production:
   secret_key_base: xxxxxxxxxxxxxxxxxxxxxxx
   some_other_key: xxx

Try this instead:

secret_key_base: xxxxxxxxxxxxxxxxxxxxxxx
production:
   some_other_key: xxx

Promise Preston · Answer 8 · 2020-10-14T10:50:21.453

I experienced this same issue when working on a Rails 5.2 application in production.

I already had other things set up. The problem for me was not that the secret_key_base wasn't set properly, it was rather because of the Passing the environment's name as a regular argument like below is deprecated

rails c RAILS_ENV=production

If you look at your error log generated closely from its top you will see this:

DEPRECATION WARNING: Passing the environment's name as a regular argument is deprecated and will be removed in the next Rails version. Please, use the -e option instead. (called from at bin/rails:9)

To run the rails console in a different environment, use the -e option like this:

rails console -e production

Note: Setting the secret_key_base in the secrets.yml file is not safe, as it's not a secure way of storing the key, please use the encrypted credential.yml file and the master key to decrypt it.

That's all.

I hope this helps

Rails: How to fix "Missing secret_key_base for 'production' environment"

8 Answers8

Reading the Credentials

Linked