'docker-compose Equivalent to Docker Build --secret Argument

We have used the technique detailed here to expose host environment variables to Docker build in a secured fashion.

# syntax=docker/dockerfile:1.2
FROM golang:1.18 AS builder

# move secrets out of the build process (and docker history)
RUN --mount=type=secret,id=github_token,dst=/app/secret_github_token,required=true,uid=10001 \
    export GITHUB_TOKEN=$(cat /app/secret_github_token) && \
    <nice command that uses $GITHUB_TOKEN>

And this command to build the image:

export DOCKER_BUILDKIT=1
docker build --secret id=github_token,env=GITHUB_TOKEN -t cool-image-bro .

The above works perfectly.

Now we also have a docker-compose file running in CI that needs to be modified. However, even if I confirmed that the ENV vars are present in that job, I do not know how to assign the environment variable to the github_token named secret ID.

In other words, what is the equivalent docker-compose command (up --build, or build) that can accept a mapping of an environment variable with a secret ID?

dockerdocker-composedockerfileenvironment-variables


Solution 1:[1]

Turns out I was a bit ahead of the times. docker compose v.2.5.0 brings support for secrets.

After having modified the Dockerfile as explained above, we must then update the docker-compose to defined secrets.

docker-compose.yml

services:
  my-cool-app:
    build:
      context: .
      secrets:
        - github_user
        - github_token
...
secrets:
  github_user:
    file: secrets_github_user
  github_token:
    file: secrets_github_token

But where are those files secrets_github_user and secrets_github_token coming from? In your CI you also need to export the environment variable and save it to the default secrets file location. In our project we are using Tasks so we added these too lines.

Note that we are running this task from our CI, so you could do it differently without Tasks for example.

- printenv GITHUB_USER > /root/project/secrets_github_user
- printenv GITHUB_TOKEN > /root/project/secrets_github_token

We then update the CircleCI config and add two environment variable to our job:

.config.yml

  name-of-our-job:
    environment:
      DOCKER_BUILDKIT: 1
      COMPOSE_DOCKER_CLI_BUILD: 1

You might also need a more recent Docker version, I think they introduced it in a late 19 release or early 20. I have used this and it works:

    steps:
      - setup_remote_docker:
          version: 20.10.11

Now when running your docker-compose based commands, the secrets should be successfully mounted through docker-compose and available to correctly build or run your Dockerfile instructions!

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Vallieres

Related Questions

TOX can't find the browser binary

Flutter testing error: NotInitializedError which involves environment variables (.env)

How to programmatically derive Windows Downloads folder "%USERPROFILE%/Downloads"?

How to set environment variables in GitHub actions using python

difference between http_proxy and https_proxy

How to set env variables using ASDF in a Rails project

Launch Pycharm from command line (terminal)

Heroku error when adding an Environment Variable that is a Comma Separated Value with Spaces

.bash_profile does not display echo information after update

Environment Variable for debugging in Visual Studio 2022

Retrieving a CI variable from Gitlab project and use it within Dockerfile

How do I run a python file in Atom? Conda env?

environment variable not working in react firebase config file

Cloud Build env variables not passed to Django app on GAE

How to set custom environment variables in tomcat?