Docker build secrets!
April 27, 2021
For a long time now, I’ve been wanting to have a way when building Docker containers, to use external secrets, e.g. API or SSH keys, during build time, that wouldn’t be exposed in any layer.
It was possible to use build arguments and multi-stage builds to make sure that we don’t include the secrets in the final image that we push, but it would still leave the secrets in the intermediate layers on my local machine. Not ideal.
With BuildKit, Docker added first-class support for secrets, which makes this even cleaner and more secure.
Here’s for example how to mount a
.netrc file at build time to give
pip access to your credentials for some hosts. In your Dockerfile:
RUN --mount=type=secret,id=netrc,dst=/path/to/.netrc pip install -r requirements.txt
And to build it:
DOCKER_BUILDKIT=1 docker build --secret id=netrc,src=~/.netrc .
BuildKit also have a flag to forward SSH connections using
From their documentation:
FROM alpine RUN apk add --no-cache openssh-client git RUN mkdir -m 700 ~/.ssh && ssh-keyscan github.com > ~/.ssh/known_hosts # Clone private repository RUN --mount=type=ssh git clone email@example.com:myorg/myproject.git
To build it (ignore the first two lines if you already have
running and configured):
# Start `ssh-agent` and set environment variables eval $(ssh-agent) # Add your default SSH keys to the agent ssh-add DOCKER_BUILDKIT=1 docker build --ssh default .