Skip to content

Commit

Permalink
build: run mount secrets as env
Browse files Browse the repository at this point in the history
Signed-off-by: David Karlsson <[email protected]>
  • Loading branch information
dvdksn committed Sep 10, 2024
1 parent df66fbd commit 9462420
Show file tree
Hide file tree
Showing 3 changed files with 34 additions and 18 deletions.
43 changes: 30 additions & 13 deletions content/manuals/build/building/secrets.md
Original file line number Diff line number Diff line change
Expand Up @@ -16,16 +16,14 @@ secret mounts or SSH mounts, which expose secrets to your builds securely.

## Secret mounts

Secret mounts expose secrets to the build containers as files. You [mount the
secrets to the `RUN`
instructions](/reference/dockerfile.md#run---mounttypesecret) that
Secret mounts expose secrets to the build containers, as files or environment
variables. You can use secret mounts to pass sensitive information to your
builds, such as API tokens, passwords, or SSH keys. You [mount the secrets to
the `RUN` instructions](/reference/dockerfile.md#run---mounttypesecret) that
need to access them, similar to how you would define a bind mount or cache
mount.

```dockerfile
RUN --mount=type=secret,id=mytoken \
TOKEN=$(cat /run/secrets/mytoken) ...
```
### Passing secrets

To pass a secret to a build, use the [`docker build --secret`
flag](/reference/cli/docker/buildx/build.md#secret), or the
Expand Down Expand Up @@ -82,21 +80,40 @@ $ docker build --secret id=API_TOKEN .

### Target

By default, secrets are mounted to `/run/secrets/<id>`. You can customize the
mount point in the build container using the `target` option in the Dockerfile.
By default, secrets are mounted as files located at `/run/secrets/<id>`. You
can customize how the secrets get mounted in the build container using the
`target` and `env` options for the `RUN --mount` flag in the Dockerfile.

The following example mounts the secret to a `/root/.aws/credentials` file in
the build container.
The following example takes secret id `aws` and mounts it to `/run/secrets/aws`
in the build container.

```console
$ docker build --secret id=aws,src=/root/.aws/credentials .
```dockerfile
RUN --mount=type=secret,id=aws \
AWS_SHARED_CREDENTIALS_FILE=/run/secrets/aws \
aws s3 cp ...
```

To mount a secret as a file with a different name, use the `target` option in
the `--mount` flag.

```dockerfile
RUN --mount=type=secret,id=aws,target=/root/.aws/credentials \
aws s3 cp ...
```

To mount a secret as an environment variable instead of a file, use the
`env` option in the `--mount` flag.

```dockerfile
RUN --mount=type=secret,id=aws-key-id,env=AWS_ACCESS_KEY_ID \
--mount=type=secret,id=aws-secret-key,env=AWS_SECRET_ACCESS_KEY \
--mount=type=secret,id=aws-session-token,env=AWS_SESSION_TOKEN \
aws s3 cp ...
```

It's possible to use the `target` and `env` options together to mount a secret
as both a file and an environment variable.

## SSH mounts

If the credential you want to use in your build is an SSH agent socket or key,
Expand Down
6 changes: 3 additions & 3 deletions content/manuals/build/cache/invalidation.md
Original file line number Diff line number Diff line change
Expand Up @@ -82,12 +82,12 @@ Build arguments do result in cache invalidation.
```dockerfile
FROM alpine
ARG CACHEBUST
RUN --mount=type=secret,id=foo \
TOKEN=$(cat /run/secrets/foo) ...
RUN --mount=type=secret,id=TOKEN,env=TOKEN \
some-command ...
```

```console
$ TOKEN=verysecret docker build --secret id=foo,env=TOKEN --build-arg CACHEBUST=1 .
$ TOKEN="tkn_pat123456" docker build --secret id=TOKEN --build-arg CACHEBUST=1 .
```

Properties of secrets such as IDs and mount paths do participate in the cache
Expand Down
3 changes: 1 addition & 2 deletions content/manuals/build/ci/github-actions/secrets.md
Original file line number Diff line number Diff line change
Expand Up @@ -26,8 +26,7 @@ First, create a `Dockerfile` that uses the secret:
```dockerfile
# syntax=docker/dockerfile:1
FROM alpine
RUN --mount=type=secret,id=github_token \
cat /run/secrets/github_token
RUN --mount=type=secret,id=github_token,env=GITHUB_TOKEN ...
```

In this example, the secret name is `github_token`. The following workflow
Expand Down

0 comments on commit 9462420

Please sign in to comment.