Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to set RAILS_PRODUCTION_KEY config var on a Rails 6 app on Heroku

I created a new Rails 6 app and since it supports Multi Environment Credentials I'm trying to use the RAILS_PRODUCTION_KEY config var and delete the default RAILS_MASTER_KEY

heroku config:unset RAILS_MASTER_KEY 
heroku config:set RAILS_PRODUCTION_KEY=`cat config/credentials/production.key`

This doesn't work however, and I was able to get it to work after setting RAILS_MASTER_KEY to the production key

heroku config:unset RAILS_PRODUCTION_KEY
heroku config:set RAILS_MASTER_KEY=`cat config/credentials/production.key`

How do I get Heroku to recognize RAILS_PRODUCTION_KEY in a Rails 6 app?

like image 820
vince Avatar asked Aug 29 '20 00:08

vince


People also ask

How does Heroku config vars work?

Whenever you set or remove a config var using any method, your app is restarted and a new release is created. Config var values are persistent–they remain in place across deploys and app restarts. Unless you need to change a value, you only need to set it once.

How do I add an environment variable to Heroku?

The first step is to log into your account and go to the Heroku dashboard. Figure 1 illustrates my dashboard. Choose the application for which you want to set the environment variables. Once you select the application, it takes you to the overview page of that project.

Is Heroku config vars safe?

Heroku config vars are designed to be safe for storing sensitive information. All config vars are stored in an encrypted form and safely stored. These are only decrypted and loaded when booting your app in a dyno itself.


1 Answers

I struggled with figuring out this issue, too. (It's not a Heroku-specific issue.)

Bottom line: an environment variable named RAILS_PRODUCTION_KEY (or any other Rails environment-flavored variable name) is not a thing–Rails doesn't pay attention to it.

From the (weak, IMO) Rails documentation on the Rails 6 credentials feature, I had wrongly assumed that the production key (either in the RAILS_PRODUCTION_KEY env variable or config/credentials/production.key) would decrypt config/credentials/production.yml.enc, the master key (either in the RAILS_MASTER_KEY env variable or config/master.key) would decrypt config/credentials.yml.enc, and that a value for a given secrets key in config/credentials/production.yml.enc would override the value for that key in config/credentials.yml.enc. This is not the case.

This is how it actually works:

  1. Rails 6 uses a single key to decrypt a single encrypted secrets file.
  2. The default location of the decryption key is config/master.key and the default location of the secrets file is config/credentials.yml.enc.
  3. If an environment variable of RAILS_MASTER_KEY is defined, Rails will read the decryption key from the environment variable, not from config/master.key.
  4. When running in a given Rails environment (production/development/etc.), if a corresponding secrets file exists in config/credentials (e.g., config/credentials/production.yml.enc), then Rails will use that secrets file only, and it will use the corresponding decryption key (e.g., config/credentials/production.key) only to decrypt it.
  5. If an environment variable of RAILS_MASTER_KEY is defined, Rails will read the decryption key from the environment variable, not from the decryption key file. NOTE: regardless of the Rails environment, the environment variable that overrides the decryption key file is always RAILS_MASTER_KEY.
like image 68
Ed Ruder Avatar answered Nov 15 '22 15:11

Ed Ruder