6

Below is the snippet of docker-compose file having passwords:

test:
  build: ../../
  dockerfile: docker/dev/Dockerfile
  volumes_from:
    - cache
  links:
    - db
  environment:
    DJANGO_SETTINGS_MODULE: todobackend.settings.test
    MYSQL_HOST: db
    MYSQL_USER: root
    MYSQL_PASSWORD: password
    TEST_OUTPUT_DIR: /reports

db:
  image: mysql:5.6
  hostname: db
  expose:
    - "3386"
  environment:
    MYSQL_ROOT_PASSWORD: password

Running this file in AWS environment,

Can be using KMS storing in s3 and another approach is AWS parameter store

When building dockerfile and launching containers using docker-compose, How to maintain secrets safely, without exposing it to text files? any code snippet...

overexchange
  • 15,768
  • 30
  • 152
  • 347
  • what you can do is save the text files to a bucket. And then every time your docker is run, it shd download the file, set the secret as env variables and delete the file. But I am gonna upvote this question since I never know where to put secrets! – DUDANF Oct 17 '19 at 16:03
  • @daudnadeem Can you share the code snippet? – overexchange Oct 17 '19 at 16:04
  • 1
    There is something called parameter store in AWS... – overexchange Oct 17 '19 at 16:05
  • I dont have a code snippet, would need to write it. But in psudo code (python). 1. Download file (Using Boto3 library) 2. read file `with open (/file)` 3. os.environ[mysq] = password 4. os.remove(/file) I could write it for you, but it's actually really simple code. – DUDANF Oct 17 '19 at 16:08
  • And if you save the above as a python script. Jus always `RUN my_script.py` in your Dockerfile as the second last command. – DUDANF Oct 17 '19 at 16:09
  • How are you deploying the compose file? Are you using swarm mode? – BMitch Oct 17 '19 at 17:12
  • @BMitch am deploying containers in normal mode to AWS ecs service.can you elaborate, how secrets are related to swarm mode ? – overexchange Oct 20 '19 at 13:39
  • Swarm mode implements docker secrets. Without swarm mode, you do not get access to this functionality from docker. Kubernetes implements their own secrets. I'm not familiar enough with ECS to know if they have their own secrets implementation. – BMitch Oct 20 '19 at 14:03
  • [This answer](https://stackoverflow.com/a/56077990/596285) may also be helpful to understand the various options of managing secrets. – BMitch Oct 20 '19 at 14:06

2 Answers2

2

You can use the integration between ECS and Secrets Manager to put the references to the secrets stored in Secrets Manager in the ECS task definition and then reference them as environment varialbles. The ECS docs provide a short tutorial on this (and there are more elaborate blog posts).

JoeB
  • 1,503
  • 7
  • 9
1

Can think of few possible approaches.

  1. Store the secret in environment variable reference the environment variable in your compose file like this
environment:
  RACK_ENV: development
  SHOW: 'true'
  SESSION_SECRET:

The keys without any value are resolved to their values on the machine.

Another approach could be to use docker secret. Create the secret

$ printf "This is a secret" | docker secret create db_password -

If its a file it can be saved like

$docker secret create site.key site.key

Access the secret in your compose as below

version: '3.1'

services:
   db:
     image: mysql:latest
     volumes:
       - db_data:/var/lib/mysql
     environment:
       MYSQL_ROOT_PASSWORD_FILE: /run/secrets/db_root_password
       MYSQL_DATABASE: wordpress
       MYSQL_USER: wordpress
       MYSQL_PASSWORD_FILE: /run/secrets/db_password
     secrets:
       - db_root_password
       - db_password

The secret is available on /run/secrets folder.

If you commit the container the secrets are not included.

asolanki
  • 1,333
  • 11
  • 18