vm:docker:secret

About

This page is about secret management in Docker.

Type

Creation of a container

Mount a volume

During the creation of a container, you can mount a path

Environment variable

Don't pass them as environment variable or command line argument, as with the inspect command, it's possible to get them via a orchestrator.

docker container inspect core-portainer-1

[
    {
        "Args": [
            "-H",
            "unix:///var/run/docker.sock",
            "--http-enabled"
        ],
        "Config": {
            "Env": [
                "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
                "SECRET=welcome123"
            ],
            "Cmd": [
                "-H",
                "unix:///var/run/docker.sock",
                "--http-enabled"
            ],
       }
   }
]

Compose Secrets

services:
  frontend:
    image: example/webapp
    secrets:
      - server-certificate

secrets:
  server-certificate:
    external: true

During a image build

During a build from a Dockerfile, you can use the RUN instruction to:

mount secret ¹⁾ so that they are not stored into the image

Example:

RUN --mount=type=secret,id=aws,target=/root/.aws/credentials \
  aws s3 cp s3://... ...

mount a ssh agent ²⁾ so that you get access to the key

Example:

RUN --mount=type=ssh \
  ssh -q -T [email protected] 2>&1 | tee /hello

¹⁾

https://docs.docker.com/reference/dockerfile/#run---mounttypesecret

²⁾

https://docs.docker.com/reference/dockerfile/#run---mounttypessh

Table of Contents