Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature Request: Add --secrets value= for specifying secret directly on CLI #1913

Open
rcollette opened this issue May 30, 2019 · 3 comments
Open

Feature Request: Add --secrets value= for specifying secret directly on CLI #1913

rcollette opened this issue May 30, 2019 · 3 comments
Labels
area/builder docs/revisit kind/docs

Comments

@rcollette
Copy link

Description
Secrets that I need to provide are present as exported environment variables on the build server.

Rather than having to create files on the build server (and thus risk the secrets being left behind on the build server), I would like to specify the secret directly in the command line like:

docker build --no-cache --progress=plain --secret id=mysecret,value=${GITLAB_ENVIRONMENT_VARIABLE} .
@SimonMarynissen
Copy link

SimonMarynissen commented May 17, 2021
edited
Loading

Currently, I found two workarounds for this:

  1. Make a temporary file containing the secret, for example with printf "$mysecret" > mysecretfile and use src=mysecretfile and make sure to delete this file afterwards.
  2. Use process subsitution (only available in some shells), in bash it would look like src=<(printf "$mysecret")

The first approach is somewhat unsafe since you can forget to remove this file. The second approach (which I use at the moment) only works in certain shells, for example not possible in POSIX shell.

Therefore, I think something value=$mysecret would add to the user experience and safety in some cases.

Edit: I found that part of the code responsible is in cli/opts/secret.go.

@thaJeztah
Copy link
Member

This should already be possible using the env option on --secret (see #2656)

With the following Dockerfile:

FROM alpine
RUN --mount=type=secret,id=foo-token echo "the secret is: $(cat /run/secrets/foo-token)"

Set the TOP_SECRET_TOKEN env var, and start a build with that name past as env (I'm using --progress=plain so that the shell output is visible):

export TOP_SECRET_TOKEN=topsecret
export DOCKER_BUILDKIT=1
docker build --progress=plain --secret id=foo-token,env=TOP_SECRET_TOKEN .

Which shows:

#5 [2/2] RUN --mount=type=secret,id=foo-token echo "the secret is: $(cat /run/secrets/foo-token)"
#5 sha256:0197aa18712af0632dd5950200e51a7afb3d6e4fd310164f5be4f2daa0212b8e
#5 0.400 the secret is: topsecret
#5 DONE 0.4s

@thaJeztah
Copy link
Member

I don't think we should add support for providing the value in-line (value=). Doing so would be worse (from a security perspective), because the value would show up in logs, (bash)history, etc.

Passing the value through stdin could've been an alternative, but unfortunately is not an option for docker build, as it already accepts stdin as input for the Dockerfile and/or build-context, besides not being possible when passing multiple secrets.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/builder docs/revisit kind/docs
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@rcollette @thaJeztah @SimonMarynissen @GordonTheTurtle