Rails 6: How to use multi-environment credentials
Rails 6.0 adds support for multi-environment credentials. Here’s a quick summary of how it works:
By default, behavior is the same as Rails 5.2. To configure credentials for another enviornment, just add --environment <env>.
Available commands
rails credentials:show [--environment <env>]rails credentials:edit [--environment <env>]rails credentials:help
Example: rails credentials:edit --environment production
(Hint: RAILS_ENV=<env> rails credentials:show won’t work. --environment must be used instead.)
How Rails behaves
Rails continues to use the 5.2-compatible files (config/master.key & config/credentials.yml.enc) in the absence of an environment-specific file.
If an environment-specific file is available, then that is used instead (and the default file is ignored – they are not merged). This is convenient when you want multiple environments, eg: development and test, to both use the same file. In this example, use the default file for those two environments, and then provide an environment-specific file for production only.
For reference, Rails will look in the following places for the master key for decryption:
ENV['RAILS_MASTER_KEY']config/credentials/<env>.keyconfig/master.key
And it will look for the actual encrypted credentials at these locations:
config/credentials/<env>.yml.encconfig/credentials.yml.enc