Question posted in
The official documentation can be found here.

How To Securely Pass Secrets Into Docker Image

I am new to Docker, so please forgive my elementary question. I am confused as to the best way to pass secrets into the Docker container enviroments. I am using Docker-Compose and do not want to use more complex platforms such as Kubernetes because I am hosting a very simple Django Rest Framework application.

I understand the concepts of Docker Compose Secrets but what I do not understand is how you securely provide the file with the secret in the first place. The Docker Image would ordinarily be built from a GitHub repo, but I do not want to expose the secret in the file in the repo that would be passed into the Docker Image.

For example, let’s say I want to store my Django secret key. I would pass it into Docker Compose like so:

services:
  myapp:
    image: myapp:latest
    secrets:
      - django_secret_key
secrets:
  django_secret_key:
    file: ./my_django_secrets.txt

What I cannot understand, is how you pass my_django_secrets.txt into the build WITHOUT exposing them in the Git Repo. I come from a background of using local .env files and setting enviroment variables on the end server, but I cannot figure out the best way to replicate this inside Docker.

Thank you in advance for your help!

Tags:

3

Answers


  1. 0

    You have to understand that secrets worked in the same variable declaration process.
    You will pass this key value in the server file and address it through the docker file. So you must reference the secrets there.You have to understand that secrets worked in the same variable declaration process.
    You will pass this key value in the server file and address it through the docker file. So you must reference the secrets there.

    Login or Signup to reply.
  2. 0

    You can use a custom cipher / encryption in combination of base64 encoding, and then decrypt + decode.

    Cipher can be simple byte shift / rotation such as caesar cipher.

    This is low cost strategy, but good enough to obfuscate secrets.

    One important point is that encoder and decoder code must be a restricted library and should be inaccessible without explicit permissions.

    Login or Signup to reply.
  3. 0

    how would the process look ideally? Once I submit the source files (including Dockerfile and Docker-compose) and have GitHub Actions assemble the image, how does the my_django_secrets eventually get passed in?

    Your compose file has nothing to do with building your image. Only the Dockerfile is required for that stage. Your repository would contain your Dockerfile and compose.yaml files, and your GitHub action would use docker build to build and push the image somewhere (here is a github action that I use to build and push container images to github’s container repository).

    Locally — or wherever you want to run the image — you would run docker compose up. This would pull the image and start a container, and would apply any secrets, volume mounts, bind mounts, environment variables, etc.

    So for example, my_django_secrets.txt would not be included in the repository. This would only exist locally. Given the configuration you show in your question…

    services:
  myapp:
    image: myapp:latest
    secrets:
      - django_secret_key
secrets:
  django_secret_key:
    file: ./my_django_secrets.txt

    …then the secret would be exposed in the container as the file /run/secrets/django_secret_key.

    You can accomplish something similar using environment variables. Given a compose file like this:

    services:
  myapp:
    image: myapp:latest
    environment:
      DJANGO_SECRET_KEY: ${DJANGO_SECRET_KEY}

    If you have a local .env file that contains:

    DJANGO_SECRET_KEY=secret

    Then after running docker compose up, in your container the variable DJANGO_SECRET_KEY would be available with the value secret.

    In this example, that .env file would not be part of the repository; you would create it locally or wherever you are running the container.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search