Consume secret inside dockerfile

The secrets should be used during run time and provided by execution environment.

Also everything that is executing during a container build is written down as layers and available later to anyone who is able to get access to an image. That's why it's hard to consume secrets during the build in a secure way.

In order to address this, Docker recently introduced a special option --secret. To make it work, you will need the following:

1. Set environment variable DOCKER_BUILDKIT=1

2. Use the --secret argument to docker build command

   DOCKER_BUILDKIT=1 docker build --secret id=mysecret,src=mysecret.txt...

3. Add a syntax comment to the very top of your Docker file

   # syntax = docker/dockerfile:1.0-experimental

4. Use the --mount argument to mount the secret for every RUN directive that needs it

RUN --mount=type=secret,id=mysecret cat /run/secrets/mysecret

Please note that this needs Docker version 18.09 or later.

ARG is a build time argument. You want to keep Secrets secret and not write them in the artifacts. Keep secrets in external environment variables or in external files.

docker run -e SECRET_NAME=SECRET_VALUE

and in docker-compose:

services:  app-name:    environment:    - SECRET_NAME=YOUR_VALUE

or

services:  app-name:    env_file:    - secret-values.env

Kubernetes

When you run exactly the same container image in Kubernetes, you mount the secret from a Secret object.

  containers:  - name: app-name    image: app-image-name    env:      - name: SECRET_NAME        valueFrom:          secretKeyRef:            name: name-of-secret-object            key: token

Secrets are available only after the build is completed. So the anwser is no, secrets can not be consume inside the dockerfile. You can consume them after the build is complete, for example in an entrypoint file that is executed when the image is run.