Missing secret_key_base for production environment - hosting a rails 4.1.4 app on heroku

3
votes

I created a rails 4.1.4 app which I'm trying to host on heroku, but I get the following error -

Missing secret_key_base for production environment, set this value in config/secrets.yml

My secrets.yml file looks has secret_key_base: <%= ENV["SECRET_KEY_BASE"] %> under production

I ran rake secret and saved the result in the environment variable SECRET_KEY_BASE. When I log into my app on heroku, I can see that value stored in the Config Variables when I click on settings.

Other solutions have suggested I add config/secrets.yml to git and redeploy to heroku - however I don't wish to add secrets.yml, or any yml file to version control.

Any ideas?

Thanks!

1
ruby-on-railsherokuruby-on-rails-4
Have you tried heroku restart ?Richard Peck
Just did it - still the same error.user2635088
Hmm okay - have you got any other dependencies running etc? This may be causing the problemRichard Peck
Sorry but I'm not sure what that means - I have the following config variables on heroku - DATABASE_URL, FACEBOOK_KEY, FACEBOOK_SECRET, HEROKU_POSTGRESQL_COBALT_URL, LANG, RACK_ENV, RAILS_ENV, SECRET_KEY_BASEuser2635088
If secrets.yml is not in your source and not deployed to heroku your app won't know to look in the ENV variable. The whole point is that you can safely add this file as it only has the values for dev and test.bobomoreno

1 Answers

1
votes

When you deploy to Heroku, you're deploying via Git. Any files that aren't included in your git repository won't be pushed to your server. As a result, it doesn't matter what you have in your secrets.yml right now - it's not being deployed.

There's nothing wrong with committing configuration files or YAML files - the problem is in committing secrets. If you commit your API keys and passwords then you have to trust everyone with access to your source code. That's impossible if your code is on Github (because you don't trust everyone on earth with a computer), but is still a bad idea in a small company. You'll be far less stressed if someone leaves, loses their laptop, or gets infected with malware if they don't have production credentials on their machines.

You're already doing the right thing to avoid this. Using environment variables to configure your app keeps those secrets out of your repository, even if those configuration files are committed.