About
This page is about secret management in Docker.
Type
Docker RUN: Creation of a container
During the creation of a container, you can pass:
- mount a path
Environment variable
Don't pass them as environment variable or command line argument, as with the inspect command, it's possible to get them via a orchestrator.
docker container inspect core-portainer-1
[
{
"Args": [
"-H",
"unix:///var/run/docker.sock",
"--http-enabled"
],
"Config": {
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"SECRET=welcome123"
],
"Cmd": [
"-H",
"unix:///var/run/docker.sock",
"--http-enabled"
],
}
}
]
Compose Secrets
services:
frontend:
image: example/webapp
secrets:
- server-certificate
secrets:
server-certificate:
external: true
Dockerfile RUN: Build from an image
During a build from a Dockerfile, you can
- mount secret 1) so that they are not stored into the image
Example:
RUN --mount=type=secret,id=aws,target=/root/.aws/credentials \
aws s3 cp s3://... ...
Example:
RUN --mount=type=ssh \
ssh -q -T [email protected] 2>&1 | tee /hello