I created a new Rails 6 app and since it supports Multi Environment Credentials I'm trying to use the RAILS_PRODUCTION_KEY
config var and delete the default RAILS_MASTER_KEY
heroku config:unset RAILS_MASTER_KEY
heroku config:set RAILS_PRODUCTION_KEY=`cat config/credentials/production.key`
This doesn't work however, and I was able to get it to work after setting RAILS_MASTER_KEY
to the production key
heroku config:unset RAILS_PRODUCTION_KEY
heroku config:set RAILS_MASTER_KEY=`cat config/credentials/production.key`
How do I get Heroku to recognize RAILS_PRODUCTION_KEY
in a Rails 6 app?
Whenever you set or remove a config var using any method, your app is restarted and a new release is created. Config var values are persistent–they remain in place across deploys and app restarts. Unless you need to change a value, you only need to set it once.
The first step is to log into your account and go to the Heroku dashboard. Figure 1 illustrates my dashboard. Choose the application for which you want to set the environment variables. Once you select the application, it takes you to the overview page of that project.
Heroku config vars are designed to be safe for storing sensitive information. All config vars are stored in an encrypted form and safely stored. These are only decrypted and loaded when booting your app in a dyno itself.
I struggled with figuring out this issue, too. (It's not a Heroku-specific issue.)
Bottom line: an environment variable named RAILS_PRODUCTION_KEY
(or any other Rails environment-flavored variable name) is not a thing–Rails doesn't pay attention to it.
From the (weak, IMO) Rails documentation on the Rails 6 credentials feature, I had wrongly assumed that the production key (either in the RAILS_PRODUCTION_KEY
env variable or config/credentials/production.key
) would decrypt config/credentials/production.yml.enc
, the master key (either in the RAILS_MASTER_KEY
env variable or config/master.key
) would decrypt config/credentials.yml.enc
, and that a value for a given secrets key in config/credentials/production.yml.enc
would override the value for that key in config/credentials.yml.enc
. This is not the case.
This is how it actually works:
config/master.key
and the default location of the secrets file is config/credentials.yml.enc
.RAILS_MASTER_KEY
is defined, Rails will read the decryption key from the environment variable, not from config/master.key
.production
/development
/etc.), if a corresponding secrets file exists in config/credentials
(e.g., config/credentials/production.yml.enc
), then Rails will use that secrets file only, and it will use the corresponding decryption key (e.g., config/credentials/production.key
) only to decrypt it.RAILS_MASTER_KEY
is defined, Rails will read the decryption key from the environment variable, not from the decryption key file. NOTE: regardless of the Rails environment, the environment variable that overrides the decryption key file is always RAILS_MASTER_KEY
.If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With