Managing secrets

[aanand]

An issue brought up both by @fxdgear:

Right now we use Pass (http://www.passwordstore.org) to store all our secrets. Because of this we’ve had to write our own deployment utility which can read yaml files which have passwords stored in them.

It would be really cool if we could figure out a way to extract these secrets from the env_file when running docker-compose up.

I know that Pass isn’t the only password manager in the world… so it’s an interesting problem. But if we could have support in compose for extracting secrets at runtime, that would make deploying docker applications using compose (in the real world) more feasible.

@dhiltgen also brought up the same issue, and suggested adding the ability to do Bash-style shell command substitution like MYPASSWORD=$(pass show dev/.../password). But executing commands on the host machine is extremely unportable - this is also why we don't want to add anything like pre/post hooks for the container lifecycle.

So the problem here is getting secrets into containers without coupling Compose to anything host-specific, let alone a specific password storage tool.

So far, the only step towards making this easier is #1488, which will at least remove some of the hassle from generating a YAML configuration to pass to Compose.

[thaJeztah]

@aanand I asked the docker security maintainers to have a look at secrets in moby/moby#13490. A nice proof-of-concept for using the new volume-drivers to connect to password managers, can be found here https://github.com/calavera/docker-volume-keywhiz-fs.

[dnephin]

This might be resolved now that we have environment variable interpolation?

[thaJeztah]

@dnephin not entirely sure; it depends a bit on what is regarded a "proper" way to pass secrets (environment variables should not really be used for secrets in Docker), again, see moby/moby#13490. Not sure of compose can do anything about that currently, apart from supporting named volumes, and volume drivers.

[shin-]

#4368 🎉