K
Q

Consume secret inside dockerfile

12/2/2019

Is it possible to access docker secrets inside dockerfile? I was thinking passing the SECRET as build ARG, like so:

docker-compose:

version: '3.5'
services:
  service:
    ...
    build:
      ...
      args:
        SECRET: ${SECRET}
    ...

dockerfile:

FROM image
ARG SECRET
RUN script-${SECRET}

Note: the container is build in kubernetes, I can not pass any arguments to the build command or perform any command at all.

Edit note: It is okay to pass SECRET as ARG because this is not sensitive data. I'm using SECRETS to access micro service data, and I can only store data using secrets. Think of this as machine environment.

-- Gustavo SantamarĂ­a
docker
docker-compose
dockerfile
kubernetes

Similar Questions

Exlude resources from the destroy process in terraform configuration
Flask in docker container only with uwsgi on kubernetes
Can an istio service be for an arbitrary hostname?
Timeouts when creating resources in Istio 1.4.0 when installed with istioctl

4 Answers

12/4/2019

Secrets are available only after the build is completed. So the anwser is no, secrets can not be consume inside the dockerfile. You can consume them after the build is complete, for example in an entrypoint file that is executed when the image is run.

-- Gustavo SantamarĂ­a
Source: StackOverflow
12/2/2019

Yes, to passing secret data as ARG if you need to access the secret during the container build; you have no (!?) alternative.

ARG values are only available for the duration of the build so you need to be able to trust the build process and that it is cleaned up appropriately at its conclusion; if a malicious actor were able to access the build process (or after the fact), it could access the secret data.

It's curious that you wish to use the secret as script-${SECRET} as I assumed the secret would be used to access an external service. Someone would be able to determine the script name from the resulting Docker image and this would expose your secret.

-- DazWilkin
Source: StackOverflow
12/2/2019

ARG is a build time argument. You want to keep Secrets secret and not write them in the artifacts. Keep secrets in external environment variables or in external files.

docker run -e SECRET_NAME=SECRET_VALUE

and in docker-compose:

services:
  app-name:
    environment:
    - SECRET_NAME=YOUR_VALUE

or

services:
  app-name:
    env_file:
    - secret-values.env

Kubernetes

When you run exactly the same container image in Kubernetes, you mount the secret from a Secret object.

  containers:
  - name: app-name
    image: app-image-name
    env:
      - name: SECRET_NAME
        valueFrom:
          secretKeyRef:
            name: name-of-secret-object
            key: token
-- Jonas
Source: StackOverflow
12/2/2019

The secrets should be used during run time and provided by execution environment.

Also everything that is executing during a container build is written down as layers and available later to anyone who is able to get access to an image. That's why it's hard to consume secrets during the build in a secure way.

In order to address this, Docker recently introduced a special option --secret

docker build --secret id=mysecret,src=mysecret.txt ...

that works together with RUN --mount directive:

RUN --mount=type=secret,id=mysecret cat /run/secrets/mysecret
-- Slava Semushin
Source: StackOverflow