Rails：如何修复“生产环境中缺少 secret_key_base”

Question

I simply can't get past the message:

Missing `secret_key_base` for 'production' environment, set this string with `rails credentials:edit` (ArgumentError)

I have Rails 5.2.0, and ran

EDITOR=vim rails credentials:edit

and inside:

production:
   secret_key_base: xxxxxxxxxxxxxxxxxxxxxxx

Save and, in the terminal:

RAILS_ENV=production rails c

Am I missing something? I've restarted the server and got the same issue, but have no issue in development mode.

Answer 1

Keep default the secrets.yml file

# config/secrets.yml
production:
  secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>

development:
  secret_key_base: static_secret_key

test:
  secret_key_base: static_test_secret_key

#not_indented: key for all env in once
secret_key_base: global_key_for_all_env

RAILS_ENV=production SECRET_KEY_BASE=production_test_key rails c

---

If using Rails 5.2.0, add to production env below, check thisLINK

config.require_master_key = true    #config/environments/production.rb

Answer 2

Rails 5.2.0 requires an extra stage for the production environment:

config.require_master_key = true    # in config/environments/production.rb

Without it, Rails still falls back to the legacy secret.yml mechanism (for now).

Engine Yard's Christopher Rigor has written a concise post on it . The relevant piece:

Reading the Credentials

If you want to use the credentials in the production environment, add the following to config/environments/production.rb

 config.require_master_key = true

A good read to also see up and down sides.

Note: As @TomDogg found out, Rails 5.2.1 seems again different, so this answer may only apply to 5.2.0.

Answer 3

config/credentials.yml.enc:

development:
  some_username: XXXXXXXXX
  some_password: YYYYYYYYY

test:
  some_username: XXXXXXXXX
  some_password: YYYYYYYYY

production:
  some_username: XXXXXXXXX
  some_password: YYYYYYYYY

secret_key_base: ZZZZZZZZZ
# `secret_key_base:` must NOT be indented !
# It must be put at the very start of a new line.
# There is also no need for it in development or test environment,
#   since there are no attacks to be expected.

Also make sure that you respect all YAML indention rules (ie 2 spaces only) as failing to do so my make loading of this file fail silently.

Answer 4

There are no production: development: and test: environment tags in the credentials file. Further information in this DHH's post: https://github.com/rails/rails/pull/30067

So write directly

secret_key_base: xxxxxxxxxxxxxxxxxxxxxxx

Please don't confuse master key with the secret key base. The master key is used to open the credentials encrypted file.

Switching back to the previous secrets system should not be the solution, nor the accepted answer.

Answer 5

Secret_key_base isn't properly setting. It's a known issue not getting enough attention: https://github.com/rails/rails/issues/32947

Generate the keys with:

EDITOR=vim rails credentials:edit

Record the key. Save in config/master.key .

SECRET_KEY_BASE=`cat config/master.key` bin/rails assets:precompile

This is the solution I came to. I really don't like how I've been forced to put it though an environment variable. If someone has more information to bring to my attention on how master.key and such work, please do comment.

Answer 6

Avoid putting secret_key_base under environment tag. Put it above it.

This is wrong:

production:
   secret_key_base: xxxxxxxxxxxxxxxxxxxxxxx
   some_other_key: xxx

Try this instead:

secret_key_base: xxxxxxxxxxxxxxxxxxxxxxx
production:
   some_other_key: xxx

Answer 7

I experienced this same issue when working on a Rails 5.2 application in production.

I already had other things set up. The problem for me was not that the secret_key_base wasn't set properly, it was rather because of the Passing the environment's name as a regular argument like below is deprecated

rails c RAILS_ENV=production

If you look at your error log generated closely from its top you will see this:

DEPRECATION WARNING: Passing the environment's name as a regular argument is deprecated and will be removed in the next Rails version. Please, use the -e option instead. (called from at bin/rails:9)

To run the rails console in a different environment, use the -e option like this:

rails console -e production

Note : Setting the secret_key_base in the secrets.yml file is not safe, as it's not a secure way of storing the key, please use the encrypted credential.yml file and the master key to decrypt it.

That's all.

I hope this helps

Answer 8

I ran into this problem when deploying my rails app to dokku using a Dockerfile. My solution:

the file config/secrets.yml references an environment variable:

production:
  secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>

I need to set this variable using the dokku command line (either directly on the server, or using the dokku-cli gem on my development machine):

dokku config:set SECRET_KEY_BASE=blalbalblablahblablah