Expand documentation for --secret
#13632
+55
−35
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -126,48 +126,60 @@ checks for updates of the syntax before building, making sure you are using the | |
| most current version. Learn more about the `syntax` directive in the | ||
| [Dockerfile reference](/engine/reference/builder/#syntax). | ||
|
|
||
| ## Securely managing secrets during Docker Build | ||
|
|
||
| `docker build` understands the `--secret` flag to allow the user to pass secret | ||
| information that can be referenced in the Dockerfile. The secret values are | ||
| only used for building docker images and will not end up stored in the final | ||
| image. | ||
|
|
||
| A build operation may have multiple secrets associated with it, each identified | ||
| with an `id` which is shared between the `docker build` command line flag and | ||
| the Dockerfile. | ||
|
|
||
| ### Accessing Secrets during the build | ||
|
|
||
| Secrets are accessed in Dockerfiles with a `RUN --mount=type=secret,id=<id>` | ||
| command. The value of the secret with the given `id` will be mounted as a file | ||
| in the file-system for the duration of that `RUN` command and will otherwise be | ||
| invisible to the rest of the build and to uses of the image. | ||
|
|
||
| ```dockerfile | ||
| # syntax=docker/dockerfile:1.2 | ||
|
|
||
| FROM alpine | ||
|
|
||
| # Fetch secret from default secret location: | ||
| RUN --mount=type=secret,id=mysecret cat /run/secrets/mysecret | ||
| ``` | ||
|
|
||
| _This Dockerfile is only to demonstrate that the secret can be accessed. As you | ||
| can see the secret printed in the build output. The final image built will not | ||
| have the secret file._ | ||
|
|
||
| The `type=secret` and `id` parameters are mandatory but the following optional | ||
| parameters are also available if desired: | ||
|
Member
There was a problem hiding this comment. This is not a complete list https://github.com/moby/buildkit/blob/master/frontend/dockerfile/docs/syntax.md#run---mounttypesecret |
||
|
|
||
| * `dst=<path>` - By default the secret file is created at `/run/secret/<id>` by | ||
|
Member
There was a problem hiding this comment. We do support |
||
| passing the `dst` parameter you can specify a different path. | ||
| * `required` - By default, if no secret with the given `id` was specified for | ||
| the build then the secret file will still be created, but will be empty. If | ||
| the mount is specified as `required` then this will instead cause the build | ||
| to fail. | ||
|
|
||
| Multiple secrets may be mounted into the `RUN` command by providing multiple | ||
| `--mount=type=secret` flags. | ||
|
|
||
| ### Providing the secret value to the build | ||
|
|
||
| The secret value itself needs to be passed to the build using the `--secret` | ||
| flag on `docker build`. The secret can be retrieved from a file on disk or an | ||
| environment variable and is associated with the `id` that the Dockerfile can | ||
| use to access the secret during the build. | ||
|
|
||
| ```console | ||
| $ echo "WARMACHINEROX" > mysecret.txt | ||
| $ docker build --progress=plain --secret id=mysecret,src=mysecret.txt . | ||
| ... | ||
| #8 [2/3] RUN --mount=type=secret,id=mysecret cat /run/secrets/mysecret | ||
| #8 digest: sha256:5d8cbaeb66183993700828632bfbde246cae8feded11aad40e524f54ce7438d6 | ||
|
|
@@ -176,18 +188,26 @@ $ docker build --no-cache --progress=plain --secret id=mysecret,src=mysecret.txt | |
| #8 1.081 WARMACHINEROX | ||
| #8 completed: 2018-08-31 21:03:32.051053831 +0000 UTC | ||
| #8 duration: 1.347502967s | ||
| ... | ||
| ``` | ||
|
|
||
| The `--secret` flag requires the `id` parameter and accepts the following | ||
| optional parameters: | ||
|
|
||
| * `src=<path>` - The file to read the secret value from. This must be a path within | ||
| the build context and the user running `docker build` must have permission to | ||
| read the file. | ||
| * `env=<name>` - The name of the environment variable to read the secret value from. | ||
|
|
||
| If neither `src` nor `env` are passed then the builder will first check for | ||
| an environment variable with the same name as the secret's `id`. If that does | ||
| not exist then it looks for a file in the current directory with the same name | ||
| as the secret's `id`. If neither of these checks succeeds to find a value the | ||
| build will fail. | ||
|
|
||
| Multiple secrets may be passed to the build by passing the `--secret` flag | ||
| once per secret, specifying a different `id` for each one. | ||
|
|
||
| ## Using SSH to access private data in builds | ||
|
|
||
| > **Acknowledgment** | ||
|
|
||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
id is not mandatory if dst is set