What's the point of secrets.yml if I still have to load variables from environment?

Question

I decided to use secrets.yml file as a way for me to easily transferring my variables to my app's production server. Once i open up the file, this is what I notice:

development:
  secret_key_base: 61a3857f1ddc140836......

test:
  secret_key_base: 6041df556cf0feb5e.....

# Do not keep production secrets in the repository,
# instead read values from the environment.
production:
  secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>

As you can see, for the production part, it says "Do not keep production secrets in the repository, instead read values from the environment"

I don't know about other people, but it's so obvious to me that if i do this, it will completely defeats the purpose of the secrets.yml itself. I want to use secrets.yml myself so that I do not have to set the environment variables one by one via the terminal on the production server anymore, but then if I still need to do this even if I am using the secrets.yml now, then whats the point?

Setting up and transferring variables from development to production process have been bugging me for a really long time. I have been trying to look everywhere but no one seems to be really clear about the process from start to finish. So, sorry if this seems like a stupid question.

Answer 1

secrets.yml should not be used to keep production secret keys. The reason is that you don't want to commit them to version control. It is not safe.

There are a couple good benefits this file provides that you probably overlooked:

1. You may actually need your secrets to be different values in different environments - using production keys in development mode may not be needed or desirable. E.g. AWS_BUCKET_NAME: development vs production

2. Some of your code may rely on existence of secret keys, a nil value may break the program.

3. It is helpful to have documentation of which keys exist on production, even if incorrect values.

Tip: you can set all env variables in terminal with one command. Just list them all.

config:set FIRST_SECRET=value SECOND_SECRET=value THIRD_SECRET=value ...

Answer 2

It's just a yaml file. It can contain anything, particularly if you don't have it in version control.

Where I work, we do not include the secrets.yml in version control (I don't like managing ENV variables all over the place either). All of our staging and production machines only ever run in production mode. The secrets.yml file is automatically created if it is not present, as part of the deployment process. This is done without developer intervention, and the file is inaccessible to most users. The contents of the generated file look like this:

production:
  secret_key_base: some_big_random_secret_here