Anyone have experience with using RAILS_MASTER_KEY env with GH Actions?
Recently switched to Rails 7 from 6. Using the credentials.yml.enc to store the ActiveRecord encryption stuff. Have set RAILS_MASTER_KEY locally and it works fine. Have confirmed I can encode/decode stuff fine. However when pushing to GH and using our CI (running tests etc.) I come across this error:
ActiveSupport::MessageEncryptor::InvalidMessage: ActiveSupport::MessageEncryptor::InvalidMessage
Caused by:
OpenSSL::Cipher::CipherError:
I have added the ENV to the GH Action but still no dice:
RAILS_MASTER_KEY=${{ secrets.RAILS_MASTER_KEY }}
Then I set the secret in the repo as well, it seems it is not reading it correctly?
The fix I found for this was adding the following to test.rb inside config/environments
config.active_record.encryption.primary_key = "test"
config.active_record.encryption.deterministic_key = "test"
config.active_record.encryption.key_derivation_salt = "test"
Related
I am encoding and decoding JSON web tokens using Rails secret_key_base, my secret_key_base is in the credentials.yml.enc file. In one of the test, I am using this function to decode JWT,locally the tests are running fine but on github action it is failing, I found out the the value of Rails.application.crendentials.secret_key_base is nil when running the test on github action. I fixed those tests by mocking like this
allow(Rails.application.credentials).to receive(:secret_key_base).
and_return("secret")
Is there a way I don't have to do this on github action for other credentials. Also since the master.key was not committed I hoped that I would see this error
ActiveSupport::MessageEncryptor::InvalidMessage
while reading from the credentials file but that also didn't happen.
This is a link to my project if that clears things up.
In Rails 6, you can create credentials.yml.enc file per environment.
In vscode:
EDITOR="code --wait" rails credentials:edit --environment production
EDITOR="code --wait" rails credentials:edit --environment test
it gives you production.key, production.yml.enc, test.key, test.yml.enc.
You can then commit test.key to github for testing or even better, set this key in RAILS_TEST_KEY env.
Though it gets a little bit tricky to maintain both env files. You can create credenetials.yml.example file with empty envs for reference
I think 'the cleanest/right way' to do this is to add master key(value from config/master.key) into github secrets.
Go to repository settings->secrets(left side menu)->new repository secret.
It makes sense to name it RAILS_MASTER_KEY.
And then in your workflow file add
env:
RAILS_MASTER_KEY: ${{ secrets.RAILS_MASTER_KEY }}
And that's it, Rails will be smart enough to use that variable in credentials decryption.
No need to make additional credentials files. For me it's working with only one credentials.yml.enc
EDIT: Even better, if you can skip using credentials, add heroku config variable SECRET_KEY_BASE and in config/application.rb add
config.secret_key_base = ENV['SECRET_KEY_BASE']
and for production use Rails.configuration.secret_key_base,
for test/development Rails.application.secrest.secret_key_base that's set by rails
ex.
SECRET_KEY = Rails.env.production? ? Rails.configuration.secret_key_base : Rails.application.secrets.secret_key_base
This way you don't have to store master key on every machine that's running your app. ex. coworkers, github actions, staging, production.
I'm am working as a part of a team for a school project. We are using Ruby 2.6.5 and Rails 6.0.2.1. I have pulled the master branch from GitHub, but when I try to run the application I get this error:
ArgumentError: Missing secret_key_base for 'production' environment
I have looked online and found that the old solution was to change the config/secrets.yml file, but rails 6 no longer has that file, and instead has an encoded credentials.yml.enc file that has the same functionality. How do I fix this issue?
Rails > 5.2 introduced a new feature for securing credentials. For this rails uses a master.key in config folder which is usually added to .gitignore so that it stays secure and doesn't get pushed to git.
This master.key is used to encrypt or decrypt content from the credentials.yml.enc file which you found.
If you are working on a team then the project creator will have to share this master.key file to you personally or you have to create a new credentials.yml.enc. You can do it using the below command -
EDITOR=vim rails credentials:edit
This will create a new master.key and credentials.yml.enc in your machine but the changes made by your teammates in the credentials.yml.enc will be lost. To avoid that hassle just get the master.key from your teammate and put it in the config. folder.
You can try changing the config.require_master_key = true #in config/environments/production.rb
You can go to this link to check this in detail:- https://blog.engineyard.com/rails-encrypted-credentials-on-rails-5.2
I hope this will work for you.
I received the error "An unhandled lowlevel error occurred" when deploying my app for the first time on Heroku, and heroku logs shows:
Missing secret_key_base for 'production' environment, set this value
in config/secrets.yml
1) The default secrets.yml specifies secret_key_base: <%= ENV["SECRET_KEY_BASE"] %> for production
2) I generated a secret using rails secret, then added this to my app's Heroku config via heroku config:set SECRET_KEY_BASE='(the key)'
3) heroku config shows this value set for SECRET_KEY_BASE
4) Perhaps most importantly, based on older questions regarding this error, .gitignore does not include secrets.yml--it's the default .gitignore generated for a Rails 5 app. Therefore, secrets.yml should have been deployed with my app, which specifies that the secret be loaded via an environment variable in the production environment.
5) I've also run heroku ps:restart, in case the app needed some extra help for the environment variable setting to take effect
I read older posts, but the past answer seemed to be ensuring secrets.yml was not included in .gitignore, but as mentioned, this does not apply to the default Rails 5 .gitignore.
What else can I try? Thx.
Edit: When I set the config value at the command line, I also receive the Heroku message:
Setting SECRET_KEY_BASE and restarting (the app)... done
Okay, I see what happened. Running heroku run bash and checking which files were deployed has been enlightening.
It is true that secrets.yml was not in the .gitignore file for my local repo, but it seems that someone--possibly malicious hackers, possibly gremlins--had added secrets.yml to my global .gitignore (.gitignore_global), and so this file was in fact not being pushed to Heroku.
I've removed the secrets file from my global .gitignore, offloaded the dev and test environment secret keys to dotenv for management, and can run my deployed app successfully.
I thought about deleting the question, but will leave it in case others run into this problem, or even a similar one where using heroku run bash may be helpful when diagnosing issues with apps on Heroku.
Came across an issue when deploying a code change to our development environment via Jenkins. The Jenkins build gets stuck while running rake db:migrate on the following code in the initializer folder.
AMQP_URL_PATH = "#{AMQP_CONFIG[:protocol]}://#{AMQP_CONFIG[:user]}:#{Rails.application.secrets[:amqp_api_password]}##{AMQP_CONFIG[:host]}/#{AMQP_CONFIG[:virtual_host]}"
As you can see it is trying to access two yaml files amqp.yml and secrets.yml. I can confirm both files exist on the dev box within the config folder.
local the code produces the following good url
amqps://user:password#10.118.1.134/virtualhost
development the code only returns ://:#
The Jenkin's build error is this.
15:59:21 URI::InvalidURIError: bad URI(is not URI?): ://:#
As you can see none of the interpolated values are making it to the url string when this is running in Jenkins. This is the only change that has occurred in this push and if I hard code the path the build works perfectly. How do I get Jenkins to access these YAML files when running rake tasks during the build deployment?
Development:
Rails 4.2.5
Ruby 2.2.2
Local:
Rails 4.2.5
Ruby 2.2.3
I have recently asked a similar question to this but as the problem has moved on slighty I have decided to create a new question - I hope this is the expected approach?
Having pushed my Rails 4 app to Heroku I keep getting an Internal Server Error Page and the error is:
You must set config.secret_key_base in your app's config
This is happening because my .gitignore file includes the config/initializers/secret_token.rb deliberately.
I have installed the Figaro gem so that I could set my secret_key_base as an environment variable for added security. I have checked on Heroku that the key has been set correctly.
My code for the secret_token.rb is as follows:
MyApp::Application.config.secret_key_base = ENV["SECRET_KEY_BASE"]
However, I'm still getting the same issue.
Can anyone help???
I did something simlilar to you that worked, but didn't use Figaro. I based it off this blog post
In summary, here's what I did:
1) remove config/initializers/secret_token.rb from your .gitignore
2) Use this code for your secret_token.rb:
MyApp::Application.config.secret_token = if Rails.env.development? or Rails.env.test?
('x' * 30) # meets minimum requirement of 30 chars long
else
ENV['SECRET_TOKEN']
end
3) commit and re-push
4) set Heroku env variale like:
heroku config:set SECRET_TOKEN=12345.....
Worked as soon as Heroku restarted after the config set.
You can set environment variables on heroku:
https://devcenter.heroku.com/articles/config-vars
You need to set SECRET_KEY_BASE environment variable for heroku with this command:
heroku config:set SECRET_KEY_BASE=value
This may help folks using Rails +4.1:
"When deploying a Rails 4.1+ app, Heroku will specify a SECRET_KEY_BASE on
your app by default." (https://blog.heroku.com/container_ready_rails_5)
In other words you won't have to do anything. You can omit secrets.yml (the standard version that is) from your .gitignore file without fear of losing any production related secrets.