1

I am relatively new to Docker and am currently building a multi-container dockerized azure web app (in flask). However, I am having some difficulty with secret management. I had successfully built a version that was storing app secrets through environment variables. But based on some recent reading it has come to my attention that that is not a good idea. I've been attempting to update my app to use Docker Secrets but have had no luck.

I have successfully created the secrets based on this post:

how do you manage secret values with docker-compose v3.1?

I have deployed the stack and verified that the secrets are available in both containers in /run/secrets/. However, when I run the app in azure I get an error.

Here are the steps I've taken to launch the app in azure.

docker swarm init --advertise-addr XXXXXX
$ echo "This is an external secret" | docker secret create my_external_secret 
docker-compose build
docker push
docker stack deploy -c *path-to*/docker-compose.yml  webapp

Next I'll restart the azure web app to pull latest images

Basic structure of the docker-compose is below.

version: '3.1'
services:
  webapp:
    build: .
    secrets:
      - my_external_secret
    image: some_azure_registry/flask_site:latest

  celery: 
    build: .
    command: celery worker -A tasks.celery --loglevel=INFO -P gevent
    secrets:
      - my_external_secret
    image: some_azure_registry.azurecr.io/flask_site_celery:latest


secrets:                        # top level secrets block
    - my_external_secret
      external: true

However, when I run the app in azure I get:

No such file or directory: '/run/secrets/my_external_secret

I can attach a shell to the container and successfully run: 

python
open('/run/secrets/*my_external_secret*', 'r').read().strip()

But when the above line is executed by the webapp it fails with the no file or directory error. Any help would be greatly appreciated.

UCAB
  • 39
  • 6

1 Answers1

0

Unfortunately, the secret at the top-level of docker-compose is not supported in Azure Web App for Container. Take a look below:

Supported options

  • command
  • entrypoint
  • environment
  • image
  • ports
  • restart
  • services
  • volumes

Unsupported options

  • build (not allowed)
  • depends_on (ignored)
  • networks (ignored)
  • secrets (ignored)
  • ports other than 80 and 8080 (ignored)

For more details, see Docker Compose options.

Charles Xu
  • 29,862
  • 2
  • 22
  • 39
  • Thank you for your response. I suppose the next question is, what is the preferred method of storing secrets in dockerized azure web-apps? – UCAB Aug 19 '19 at 15:21
  • @UCAB As I know, the environment variable in the docker file or in Azure Web App app settings are the easiest. But you can also store the secrets in the Azure Keyvault and get them in the code. – Charles Xu Aug 20 '19 at 00:40
  • Currently I am using the Azure Keyvault for end-to-end encryption. Two of the variables I was trying to pass in through Docker Secrets (and failed), were the tenant_id and vault_secret_id. The whole point of using Docker Secrets was to keep secrets like this out of the environment. Perhaps I am missing something, but if an attacker gained access to the environment variables, they would then have access to my vault secrets, which more or less defeats the purpose of the vault. I know there are a few more steps, but obfuscating those IDs for the vault just seems like good practice. – UCAB Aug 20 '19 at 19:23