Rails 4.1 pushing secrets to heroku

ruby-on-rails heroku devise

10,222

You've likely got secrets.yml added to your .gitignore. Which makes sense, since you put secret keys in it -- but since Heroku deployment uses git, it never sees your secrets.yml.

One solution is to use the heroku_secrets gem - See https://stackoverflow.com/a/22458102/2831572 .

Another solution is to add secrets.yml to git (i.e. remove it from .gitignore) after replacing all sensitive keys with references to environment variables.
So:

production:
  devise_secret_key: <%= ENV['DEVISE_KEY'] %>

then run heroku config:set DEVISE_KEY='7658699e0f765e8whatever'

10,222

Author by

Christian Flores

Updated on June 04, 2022

Comments

Christian Flores almost 2 years
Rails 4.1.0.beta1 and Devise.

I'm trying to remove all of my keys from version control and I've upgraded to Rails 4.1 to give this new secrets.yml a shot

Trying to push Devise's config.secret_key to heroku but it's failing after assets:precompile
```
Preparing app for Rails asset pipeline
       Running: rake assets:precompile
       rake aborted!
       Devise.secret_key was not set. Please add the following to your Devise initializer:
       config.secret_key = 'EXAMPLE_KEY_HERE'
       Please ensure you restarted your application after installing Devise or setting the key.
```
Here are my changes, the old code I'll leave in comments. (it works)

devise.rb
```
  # config.secret_key = 'THIS_IS_A_FAKE_KEY' #<---this_is_commented_out
  config.secret_key = Rails.application.secrets.devise_secret_key
```
secrets.yml
```
production:
  devise_secret_key: 'THIS_IS_A_FAKE_KEY'
```
then ran heroku labs:enable user-env-compile -a myapp (not sure if that's necessary)

and then when I push to my forked heroku envionment git push forked master I get the above error.

I also noticed some discussion on this in this Devise repo so I figured I'd update my gem alongside the source repo, no difference. Here's part of that discussion (here).
Jay almost 10 years

Wish Heroku let you upload non-repo files to merge into the slug, I wanted to use secrets.yml with no ENV vars. Maybe you can somehow commit locally and force push to heroku only, then revert to not including secrets.yml when pushing elsewhere (every time you deploy...) Or better yet, just commit the file to the heroku remote and not even locally (pretty sure that's impossible tho)
ahnbizcad almost 10 years

the second method seems pretty... silly. the whole point of the secrets file was to put your keys in there, right?
mc9 over 9 years

@gwho Yeah, I think the second method defeats the purpose of the secrets.yml file.
neonmate about 9 years

Don't add the secrets.yml to git. Use rake heroku:secrets RAILS_ENV=production to transfer your secrets to the heroku environment variables. If you like to help other developers to getting started fast with your application, add a file secrets.yml.sample to your repository with all the keys, but without values. Like you may know from the database.yml. Figaro is useless for Rails 4, since it is MUCH easier for other deploys / use cases (e.g. gem capistrano-secrets-yml).