8

I have a build time Argument with which I would like to build my Docker file; Since that argument is confidential in nature (github key of a private repo) I don't want that to end up in a docker image. This quotes is from official docker documentation regarding the build-time arguments.

Warning: It is not recommended to use build-time variables for passing secrets like github keys, user credentials etc. Build-time variable values are visible to any user of the image with the docker history command.

Anybody know what is the recommended way to achieve the same?

so-random-dude
  • 15,277
  • 10
  • 68
  • 113
  • 1
    Multi-stage build possibly? Not sure about the security implications as it's early new and not looked too much at it, but should only copy desired artefacts to future steps. – johnharris85 Jul 30 '17 at 23:33

3 Answers3

24

With docker 18.09+, that will be: docker build --secret id=mysecret,src=/secret/file (using buildkit).

See PR 1288, announced in this tweet.
--secret is now guarded by API version 1.39.

Example:

printf "hello secret" > ./mysecret.txt

export DOCKER_BUILDKIT=1

docker build --no-cache --progress=plain --secret id=mysecret,src=$(pwd)/mysecret.txt -f - . <<EOF
# syntax = tonistiigi/dockerfile:secrets20180808
FROM busybox
RUN --mount=type=secret,id=mysecret cat /run/secrets/mysecret
RUN --mount=type=secret,id=mysecret,dst=/foobar cat /foobar
EOF
VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
1

I'd rely on context of the Dockerfile for that. Basically, have something else (i.e. Jenkins, sub-repos) that's trusted with your Github key pull down all the necessary repos to relative locations that give your Dockerfile the context it needs. Nothing in the Docker build process itself should be managing secrets.

I can be more specific, if you specify more about your use-case. If it's just a single repo you need, you can just stick the Dockerfile in the root of that repo and rely on something else to provide credentials for cloning the repo down.

Eli
  • 36,793
  • 40
  • 144
  • 207
-1

This is the point of docker secret

see for example

https://blog.docker.com/2017/02/docker-secrets-management/

user2915097
  • 30,758
  • 6
  • 57
  • 59
  • 1
    No. That is not the point of "docker secret". Please note, I am interested only in the build-time secret, not the runtime secret. – so-random-dude Jul 30 '17 at 22:55