16

When using docker with asp.net core for development, should I use user-secrets or environment variables? I am using the default docker file that Visual Studio 2017 creates when adding a project, which uses microsoft/aspnetcore:1.1 and I believe is a linux image.

How do I set the user-secrets/environment variables in docker so they are set when it launches, but aren't included in the source code?

Set
  • 47,577
  • 22
  • 132
  • 150
darick_c
  • 309
  • 1
  • 2
  • 7

4 Answers4

11

For Development I rely on .net secret manager tool:

  1. use dotnet user-secrets to store secrets on the local computer
dotnet user-secrets init

dotnet user-secrets set "Movies:ServiceApiKey" "12345"
..

See MS docs: Safe storage of app secrets in development in ASP.NET Core.

  1. mount the local folder with secrets to Docker container

Example for Docker:

docker run ^
  -e ASPNETCORE_ENVIRONMENT=Development ^
  -v %APPDATA%/Microsoft/UserSecrets:/root/.microsoft/usersecrets:ro  ^
  company/image:latest

Example for docker-compose:

version: "3.8"

..

  net_core_service:
    ..
    environment:
      # should be defined Development-env to allow loading user-secrets located on the local computer.
      - ASPNETCORE_ENVIRONMENT=Development
    ..
    volumes:
      # map the dotnet user-secret folder
      - $APPDATA/Microsoft/UserSecrets:/root/.microsoft/usersecrets:ro
    ..

..
vladimir
  • 13,428
  • 2
  • 44
  • 70
7

For the production purpose, you need to use environment variables, not use-secrets. Secrets exist ONLY for safe storage during development by helping prevent sensitive data from being storing in code / checked into source control:

The Secret Manager tool does not encrypt the stored secrets and should not be treated as a trusted store. It is for development purposes only. The keys and values are stored in a JSON configuration file in the user profile directory.

As alternative to environment variables you may consider using "external" key-value storages, like Consul, Vault, etc.

Regarding environment variables in docker, SO already has related questions/answers. See How to pass environment variables to docker containers? as example.

Community
  • 1
  • 1
Set
  • 47,577
  • 22
  • 132
  • 150
  • I know how to pass environment variables with the docker command, but how do I do it so that when I hit debug in Visual Studio and launches the docker images, it passes the environment variables? – darick_c Mar 13 '17 at 15:19
  • Late to the party. If you are running VS and need to pass environment variables to your container: – Jake Sep 10 '17 at 19:05
6

Environment vars are better - https://12factor.net/config

If you run docker using docker run use -e or --env-file option: https://docs.docker.com/engine/reference/run/#env-environment-variables

If you run docker using docker-compose use environment or env_file key: https://docs.docker.com/compose/environment-variables/

luchaninov
  • 6,792
  • 6
  • 60
  • 75
  • This is what I was looking for. I'm using a .env file as described here https://docs.docker.com/compose/environment-variables/#the-env-file, and adding that to .gitignore. Thanks. – darick_c Mar 16 '17 at 16:53
3

Instead of using user-secrets or environment variables, I decided to add another appsettings file called appsettings.secrets.json. And then in the constructor add the file like the other appsettings files:

 var builder = new ConfigurationBuilder()
            .SetBasePath(env.ContentRootPath)
            .AddJsonFile("appsettings.json", optional: true, reloadOnChange: true)
            .AddJsonFile("appsettings.secrets.json", optional: true, reloadOnChange: true)
            .AddJsonFile($"appsettings.{env.EnvironmentName}.json", optional: true)
            .AddEnvironmentVariables();

Just be sure to add the appsettings.secrets.json to the .gitignore file so it isn't added to source control. User-secrets and environment variables can still be used.

darick_c
  • 309
  • 1
  • 2
  • 7
  • 2
    I think this is a bad idea because your secrets are getting copied into your images? – Ben Collins Feb 19 '22 at 18:19
  • Storing secrets and credentials in your source code is generally a bad idea - while it makes things easy for developers to get up and running, it leaves you open to that information leaking out onto the internet. Have a look at answers such as https://security.stackexchange.com/questions/38371/how-dangerous-is-it-to-store-password-in-plain-text-on-sites-like-github which goes into it in more detail. User secrets or environment variables keep those details local to your computer, and outside of the context of your application's source code. – David Keaveny May 09 '23 at 03:30
  • You would probably want to use a password manager to securely store those credentials, for those times when you need to set up a new computer or onboard a new developer, of course. – David Keaveny May 09 '23 at 03:31