Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

secrets: allow providing secrets with env #1534

Merged
merged 3 commits into from
Jul 7, 2020
Merged

secrets: allow providing secrets with env #1534

merged 3 commits into from
Jul 7, 2020

Conversation

tonistiigi
Copy link
Member

Support --secret id=foo,env=MY_ENV as an alternative for storing a secret value to a file. --secret id=GIT_AUTH_TOKEN will load env if it exists and the file does not.

Signed-off-by: Tonis Tiigi [email protected]

chris-crone
chris-crone approved these changes Jun 18, 2020
View reviewed changes
Copy link
Collaborator

@chris-crone chris-crone left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

session/secrets/secretsprovider/store.go Outdated Show resolved Hide resolved
@hinshun
Copy link
Collaborator

hinshun commented Jun 19, 2020
edited
Loading

Is there any difference between secret env and setting env on the llb.State?

@tonistiigi
Copy link
Member Author

@hinshun This doesn't set any env in llb.State, just allows reading the secret value stored in env on client side. Eg. if you already have GITHUB_TOKEN defined locally you don't need to write it into a file to run --secret id=token,src=/tmp/tokenfile but can just do --secret id=token,env=GITHUB_TOKEN or --secret id=GITHUB_TOKEN.

@tonistiigi tonistiigi merged commit d3f295c into moby:master Jul 7, 2020
@tonistiigi tonistiigi mentioned this pull request Jul 23, 2020
Merged
thaJeztah added a commit to thaJeztah/cli that referenced this pull request Jul 28, 2020
@thaJeztah
vendor: buildkit 4d1f260e8490ec438ab66e08bb105577aca0ce06
4fdd541 
full diff: moby/buildkit@df35e98...4d1f260

- moby/buildkit#1551 session: track sessions with a group construct
- moby/buildkit#1534 secrets: allow providing secrets with env
- moby/buildkit#1533 git: support for token authentication
- moby/buildkit#1549 progressui: fix logs time formatting

Signed-off-by: Sebastiaan van Stijn <[email protected]>
@thaJeztah thaJeztah mentioned this pull request Jul 28, 2020
Merged
thaJeztah added a commit to thaJeztah/cli that referenced this pull request Jul 28, 2020
@thaJeztah
vendor: buildkit 4d1f260e8490ec438ab66e08bb105577aca0ce06
034c35f 
full diff: moby/buildkit@df35e98...4d1f260

- moby/buildkit#1551 session: track sessions with a group construct
- moby/buildkit#1534 secrets: allow providing secrets with env
- moby/buildkit#1533 git: support for token authentication
- moby/buildkit#1549 progressui: fix logs time formatting

Signed-off-by: Sebastiaan van Stijn <[email protected]>
thaJeztah added a commit to thaJeztah/cli that referenced this pull request Jul 28, 2020
@thaJeztah
vendor: buildkit 4d1f260e8490ec438ab66e08bb105577aca0ce06
95a499d 
full diff: moby/buildkit@df35e98...4d1f260

- moby/buildkit#1551 session: track sessions with a group construct
- moby/buildkit#1534 secrets: allow providing secrets with env
- moby/buildkit#1533 git: support for token authentication
- moby/buildkit#1549 progressui: fix logs time formatting

Signed-off-by: Sebastiaan van Stijn <[email protected]>
thaJeztah added a commit to thaJeztah/cli that referenced this pull request Sep 9, 2020
@thaJeztah
vendor: buildkit 4d1f260e8490ec438ab66e08bb105577aca0ce06
7edc00d 
full diff: moby/buildkit@df35e98...4d1f260

- moby/buildkit#1551 session: track sessions with a group construct
- moby/buildkit#1534 secrets: allow providing secrets with env
- moby/buildkit#1533 git: support for token authentication
- moby/buildkit#1549 progressui: fix logs time formatting

Signed-off-by: Sebastiaan van Stijn <[email protected]>
docker-jenkins pushed a commit to docker-archive/docker-ce that referenced this pull request Sep 11, 2020
@thaJeztah
vendor: buildkit 4d1f260e8490ec438ab66e08bb105577aca0ce06
05d3484 
full diff: moby/buildkit@df35e98...4d1f260

- moby/buildkit#1551 session: track sessions with a group construct
- moby/buildkit#1534 secrets: allow providing secrets with env
- moby/buildkit#1533 git: support for token authentication
- moby/buildkit#1549 progressui: fix logs time formatting

Signed-off-by: Sebastiaan van Stijn <[email protected]>
Upstream-commit: 7edc00d8088795798ae4e82d2e529a9829acfe72
Component: cli
@tonistiigi tonistiigi mentioned this pull request Sep 25, 2020
Closed
This was referenced Dec 14, 2020
Open
Merged
@crazy-max crazy-max mentioned this pull request Dec 19, 2020
Merged
@quasis quasis mentioned this pull request Apr 28, 2021
Closed
@avdhoot
Copy link

avdhoot commented May 12, 2021

Dockerfile

# syntax = docker/dockerfile:labs
FROM ubuntu:18.04
RUN --mount=type=secret,id=PYPI_KEY echo $PYPI_KEY && echo hi

Command

DOCKER_BUILDKIT=1 docker build --no-cache --progress plain --secret id=PYPI_KEY,env=PYPI_KEY -f Dockerfile_build ..

Output

#7 [2/2] RUN --mount=type=secret,id=PYPI_KEY echo $PYPI_KEY && echo hi
#7 sha256:2c5120eaabd9451b42da9691458ecbe15e84bd92165c2f94d04cab6342bf4ea4
#7 0.094 
#7 0.094 hi
#7 DONE 0.1s

Expected value of PYPI_KEY will be available at build. Is right assumption? @tonistiigi

@tonistiigi
Copy link
Member Author

No, you would need

RUN --mount=type=secret,id=PYPI_KEY export PYPI_KEY=$(cat /run/secrets/PYPI_KEY) && echo $PYPI_KEY && echo hi

Second command should work as expected

@crazy-max crazy-max mentioned this pull request Jun 23, 2021
Closed
@shaaga
Copy link

shaaga commented Aug 12, 2021
edited
Loading

RUN --mount=type=secret,id=PYPI_KEY cat /run/secrets/PYPI_KEY gives No such file or directory error

Docker build command has
--secret id=PYPI_KEY,env=RHS_USERNAME

There is an env variable with name RHS_USERNAME

However if I place the env variable value in a file named "~/secrets.txt" and replace env=RHS_USERNAME with src=/home//secrets.txt, it works just fine.

Seems when secrets are read from env variables, values are not mounted in /run/secrets/secret-id file??

@shaaga
Copy link

shaaga commented Aug 12, 2021

@tonistiigi , created this issue for the above comment, can you please have a look: #2302

@bossmc bossmc mentioned this pull request Oct 1, 2021
Closed
@tama-biro tama-biro mentioned this pull request Sep 20, 2022
Closed
@NatoBoram
Copy link

NatoBoram commented Aug 13, 2023
edited
Loading 

RUN --mount=type=secret,id=PYPI_KEY PYPI_KEY=$(cat /run/secrets/PYPI_KEY) && echo $PYPI_KEY && echo hi

Note: You don't need to export. You can define it inline:

RUN --mount=type=secret,id=BUILD_BASE BUILD_BASE="$(cat /run/secrets/BUILD_BASE)" pnpm run build

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes

@chris-crone chris-crone chris-crone approved these changes

@tiborvass tiborvass Awaiting requested review from tiborvass

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
8 participants
@tonistiigi @hinshun @avdhoot @shaaga @NatoBoram @tiborvass @chris-crone @AkihiroSuda