Rails says secret_key_base is missing but it's in my credentials file

Question

I was in the process of removing my cleartext passwords from config/database.yml and so I used EDITOR="vim" bin/rails credentials:edit to move all the information there instead.

At the top of this, I can see that secret_key_base is already set. So I'm not quite sure why I'm getting the following error when I try to execute the following command: bin/rails db:environment:set RAILS_ENV=production

# bin/rails db:environment:set RAILS_ENV=production                                                                                                                         6:24AM/09.26
rails aborted!
ArgumentError: Missing `secret_key_base` for 'production' environment, set this string with `rails credentials:edit

Just to give a little output of what I see at the top of the file when I use that command to edit the credentials:

# aws:
#   access_key_id: 123
#   secret_access_key: 345

# Used as the base secret for all MessageVerifiers in Rails, including the one protecting cookies.

default: &default
  host: 172.17.0.1
  adapter: mysql2
  encoding: utf8
  pool: 5

development:
  <<: *default
  database: [obfuscated for stackoverflow]
  username: [obfuscated for stackoverflow]
  password: [obfuscated for stackoverflow]

test:
  <<: *default
  database: [obfuscated for stackoverflow]
  username: [obfuscated for stackoverflow]
  password: [obfuscated for stackoverflow]

production:
  <<: *default
  database: [obfuscated for stackoverflow]
  username: [obfuscated for stackoverflow]
  password: [obfuscated for stackoverflow]
  secret_key_base: [obfuscated for stackoverflow]

At first, secret_key_base was the first line in this file, but that still didn't work so I moved it down to under production.

I'm totally confused on how this is all supposed to work. From what I understand, my config/database.yml file is supposed to call the data from the rails encrypted file, is that correct? This is how my database.yml file looks:

default: &default
  host: 172.17.0.1
  adapter: mysql2
  encoding: utf8
  pool: 5

development:
  <<: *default
  database: Rails.application.credentials[Rails.env.to_sym][:database]
  username: Rails.application.credentials[Rails.env.to_sym][:username]
  password: Rails.application.credentials[Rails.env.to_sym][:password]

test:
  <<: *default
  database: Rails.application.credentials[Rails.env.to_sym][:database]
  username: Rails.application.credentials[Rails.env.to_sym][:username]
  password: Rails.application.credentials[Rails.env.to_sym][:password]

production:
  <<: *default
  database: Rails.application.credentials[Rails.env.to_sym][:database]
  username: Rails.application.credentials[Rails.env.to_sym][:username]
  password: Rails.application.credentials[Rails.env.to_sym][:password]
  secret_key_base: Rails.application.credentails[Rails.env.to_sym][:secret_key_base]

but I know something is wrong here, just not sure what...

How do I fix this issue? I'm using Rails 5.2.3 and trying to migrate from using database.yml and use the new method of storing credentials instead.

Answer 1

Since Rails 5.2 the secrets are handles with an encrypted file. The important thing is: There is no environment scope to the secret_key_base. Enter your secret_key_base right on top of that file in lower case letters.

(edit the file from your rails root like e.g. so: EDITOR=vim rails credentials:edit)