Rails: How to fix “Missing secret_key_base for 'production' environment”

Question

I simply can\'t get past the message:

Missing `secret_key_base` for \'production\' environment, set this string with `rails credentials:edit` (ArgumentError)         


        

Answer 1

Avoid putting secret_key_base under environment tag. Put it above it.

This is wrong:

production:
   secret_key_base: xxxxxxxxxxxxxxxxxxxxxxx
   some_other_key: xxx

Try this instead:

secret_key_base: xxxxxxxxxxxxxxxxxxxxxxx
production:
   some_other_key: xxx

Answer 2

Keep default the secrets.yml file

# config/secrets.yml
production:
  secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>

RAILS_ENV=production SECRET_KEY_BASE=production_test_key rails c

---

If using Rails 5.2.0, add to production env below, check this LINK

config.require_master_key = true    #config/environments/production.rb

Answer 3

config/credentials.yml.enc:

development:
  some_username: XXXXXXXXX
  some_password: YYYYYYYYY

test:
  some_username: XXXXXXXXX
  some_password: YYYYYYYYY

production:
  some_username: XXXXXXXXX
  some_password: YYYYYYYYY

secret_key_base: ZZZZZZZZZ
# `secret_key_base:` must NOT be indented !
# It must be put at the very start of a new line.
# There is also no need for it in development or test environment,
#   since there are no attacks to be expected.

Also make sure that you respect all YAML indention rules (i.e. 2 spaces only) as failing to do so my make loading of this file fail silently.

Answer 4

I experienced this same issue when working on a Rails 5.2 application in production.

I already had other things set up. The problem for me was not that the secret_key_base wasn't set properly, it was rather because of the Passing the environment's name as a regular argument like below is deprecated

rails c RAILS_ENV=production

If you look at your error log generated closely from its top you will see this:

DEPRECATION WARNING: Passing the environment's name as a regular argument is deprecated and will be removed in the next Rails version. Please, use the -e option instead. (called from at bin/rails:9)

To run the rails console in a different environment, use the -e option like this:

rails console -e production

Note: Setting the secret_key_base in the secrets.yml file is not safe, as it's not a secure way of storing the key, please use the encrypted credential.yml file and the master key to decrypt it.

That's all.

I hope this helps

Answer 5

Rails 5.2.0 requires an extra stage for the production environment:

config.require_master_key = true    # in config/environments/production.rb

Without it, Rails still falls back to the legacy secret.yml mechanism (for now).

Engine Yard's Christopher Rigor has written a concise post on it. The relevant piece:

Reading the Credentials

If you want to use the credentials in the production environment, add the following to config/environments/production.rb

config.require_master_key = true

A good read to also see up and down sides.

Note: As @TomDogg found out, Rails 5.2.1 seems again different, so this answer may only apply to 5.2.0.

Answer 6

There are no production: development: and test: environment tags in the credentials file. Further information in this DHH's post: https://github.com/rails/rails/pull/30067

So write directly

secret_key_base: xxxxxxxxxxxxxxxxxxxxxxx

Please don't confuse master key with the secret key base. The master key is used to open the credentials encrypted file.

Switching back to the previous secrets system should not be the solution, nor the accepted answer.