Merge pull request #33962 from kaspth/restructure-environment-credentials

Restructure credentials after environment overrides.

1 files changed, 15 insertions, 6 deletions

diff --git a/railties/lib/rails/commands/credentials/USAGE b/railties/lib/rails/commands/credentials/USAGE
index 6b33d1ab74..d235592f46 100644
--- a/railties/lib/rails/commands/credentials/USAGE
+++ b/railties/lib/rails/commands/credentials/USAGE
@@ -41,9 +41,18 @@ from leaking.
 
 === Environment Specific Credentials
 
-It is possible to have credentials for each environment. If the file for current environment exists it will take
-precedence over `config/credentials.yml.enc`, thus for `production` environment first look for
-`config/credentials/production.yml.enc` that can be decrypted using master key taken from `ENV["RAILS_MASTER_KEY"]`
-or stored in `config/credentials/production.key`.
-To edit given file use command `rails credentials:edit --environment production`
-Default paths can be overwritten by setting `config.credentials.content_path` and `config.credentials.key_path`.
+The `credentials` command supports passing an `--environment` option to create an
+environment specific override. That override will takes precedence over the
+global `config/credentials.yml.enc` file when running in that environment. So:
+
+   rails credentials:edit --environment development
+
+will create `config/credentials/development.yml.enc` with the corresponding
+encryption key in `config/credentials/development.key` if the credentials file
+doesn't exist.
+
+The encryption key can also be put in `ENV["RAILS_MASTER_KEY"]`, which takes
+precedence over the file encryption key.
+
+In addition to that, the default credentials lookup paths can be overriden through
+`config.credentials.content_path` and `config.credentials.key_path`.