Skip to content

secrets: allow providing secrets with env#1534

Merged
tonistiigi merged 3 commits intomoby:masterfrom
tonistiigi:secrets-env
Jul 7, 2020
Merged

secrets: allow providing secrets with env#1534
tonistiigi merged 3 commits intomoby:masterfrom
tonistiigi:secrets-env

Conversation

@tonistiigi
Copy link
Member

@tonistiigi tonistiigi commented Jun 17, 2020

Support --secret id=foo,env=MY_ENV as an alternative for storing a secret value to a file. --secret id=GIT_AUTH_TOKEN will load env if it exists and the file does not.

Signed-off-by: Tonis Tiigi tonistiigi@gmail.com

@tonistiigi
secrets: allow providing secrets with env
64e64e4 
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
tiborvass
tiborvass reviewed Jun 17, 2020
View reviewed changes
tiborvass
tiborvass reviewed Jun 17, 2020
View reviewed changes
@tonistiigi
secrets: remove file specifics from variable names
0ab1800 
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
chris-crone
chris-crone approved these changes Jun 18, 2020
View reviewed changes
Copy link
Collaborator

@chris-crone chris-crone left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@tonistiigi
secrets: reuse constant on error message
fdebe4c 
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
@hinshun
Copy link
Collaborator

hinshun commented Jun 19, 2020
edited
Loading

Is there any difference between secret env and setting env on the llb.State?

@tonistiigi
Copy link
Member Author

tonistiigi commented Jun 19, 2020

@hinshun This doesn't set any env in llb.State, just allows reading the secret value stored in env on client side. Eg. if you already have GITHUB_TOKEN defined locally you don't need to write it into a file to run --secret id=token,src=/tmp/tokenfile but can just do --secret id=token,env=GITHUB_TOKEN or --secret id=GITHUB_TOKEN.

@tonistiigi tonistiigi merged commit d3f295c into moby:master Jul 7, 2020
@tonistiigi tonistiigi mentioned this pull request Jul 23, 2020
Merged
thaJeztah added a commit to thaJeztah/cli that referenced this pull request Jul 28, 2020
@thaJeztah
vendor: buildkit 4d1f260e8490ec438ab66e08bb105577aca0ce06
4fdd541 
full diff: moby/buildkit@df35e98...4d1f260

- moby/buildkit#1551 session: track sessions with a group construct
- moby/buildkit#1534 secrets: allow providing secrets with env
- moby/buildkit#1533 git: support for token authentication
- moby/buildkit#1549 progressui: fix logs time formatting

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
@thaJeztah thaJeztah mentioned this pull request Jul 28, 2020
Merged
thaJeztah added a commit to thaJeztah/cli that referenced this pull request Jul 28, 2020
@thaJeztah
vendor: buildkit 4d1f260e8490ec438ab66e08bb105577aca0ce06
034c35f 
full diff: moby/buildkit@df35e98...4d1f260

- moby/buildkit#1551 session: track sessions with a group construct
- moby/buildkit#1534 secrets: allow providing secrets with env
- moby/buildkit#1533 git: support for token authentication
- moby/buildkit#1549 progressui: fix logs time formatting

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
thaJeztah added a commit to thaJeztah/cli that referenced this pull request Jul 28, 2020
@thaJeztah
vendor: buildkit 4d1f260e8490ec438ab66e08bb105577aca0ce06
95a499d 
full diff: moby/buildkit@df35e98...4d1f260

- moby/buildkit#1551 session: track sessions with a group construct
- moby/buildkit#1534 secrets: allow providing secrets with env
- moby/buildkit#1533 git: support for token authentication
- moby/buildkit#1549 progressui: fix logs time formatting

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
thaJeztah added a commit to thaJeztah/cli that referenced this pull request Sep 9, 2020
@thaJeztah
vendor: buildkit 4d1f260e8490ec438ab66e08bb105577aca0ce06
7edc00d 
full diff: moby/buildkit@df35e98...4d1f260

- moby/buildkit#1551 session: track sessions with a group construct
- moby/buildkit#1534 secrets: allow providing secrets with env
- moby/buildkit#1533 git: support for token authentication
- moby/buildkit#1549 progressui: fix logs time formatting

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
docker-jenkins pushed a commit to docker-archive/docker-ce that referenced this pull request Sep 11, 2020
@thaJeztah
vendor: buildkit 4d1f260e8490ec438ab66e08bb105577aca0ce06
05d3484 
full diff: moby/buildkit@df35e98...4d1f260

- moby/buildkit#1551 session: track sessions with a group construct
- moby/buildkit#1534 secrets: allow providing secrets with env
- moby/buildkit#1533 git: support for token authentication
- moby/buildkit#1549 progressui: fix logs time formatting

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 7edc00d8088795798ae4e82d2e529a9829acfe72
Component: cli
@tonistiigi tonistiigi mentioned this pull request Sep 25, 2020
Closed
This was referenced Dec 14, 2020
Open
Merged
@crazy-max crazy-max mentioned this pull request Dec 19, 2020
Merged
@quasis quasis mentioned this pull request Apr 28, 2021
Closed
@avdhoot
Copy link

avdhoot commented May 12, 2021

Dockerfile

# syntax = docker/dockerfile:labs
FROM ubuntu:18.04
RUN --mount=type=secret,id=PYPI_KEY echo $PYPI_KEY && echo hi

Command

DOCKER_BUILDKIT=1 docker build --no-cache --progress plain --secret id=PYPI_KEY,env=PYPI_KEY -f Dockerfile_build ..

Output

#7 [2/2] RUN --mount=type=secret,id=PYPI_KEY echo $PYPI_KEY && echo hi
#7 sha256:2c5120eaabd9451b42da9691458ecbe15e84bd92165c2f94d04cab6342bf4ea4
#7 0.094 
#7 0.094 hi
#7 DONE 0.1s

Expected value of PYPI_KEY will be available at build. Is right assumption? @tonistiigi

@tonistiigi
Copy link
Member Author

tonistiigi commented May 12, 2021

No, you would need

RUN --mount=type=secret,id=PYPI_KEY export PYPI_KEY=$(cat /run/secrets/PYPI_KEY) && echo $PYPI_KEY && echo hi

Second command should work as expected

@crazy-max crazy-max mentioned this pull request Jun 23, 2021
Closed
@shaaga
Copy link

shaaga commented Aug 12, 2021
edited
Loading

RUN --mount=type=secret,id=PYPI_KEY cat /run/secrets/PYPI_KEY gives No such file or directory error

Docker build command has
--secret id=PYPI_KEY,env=RHS_USERNAME

There is an env variable with name RHS_USERNAME

However if I place the env variable value in a file named "~/secrets.txt" and replace env=RHS_USERNAME with src=/home//secrets.txt, it works just fine.

Seems when secrets are read from env variables, values are not mounted in /run/secrets/secret-id file??

@shaaga
Copy link

shaaga commented Aug 12, 2021

@tonistiigi , created this issue for the above comment, can you please have a look: #2302

@bossmc bossmc mentioned this pull request Oct 1, 2021
Closed
@tama-biro tama-biro mentioned this pull request Sep 20, 2022
Closed
@NatoBoram
Copy link

NatoBoram commented Aug 13, 2023
edited
Loading 

RUN --mount=type=secret,id=PYPI_KEY PYPI_KEY=$(cat /run/secrets/PYPI_KEY) && echo $PYPI_KEY && echo hi

Note: You don't need to export. You can define it inline:

RUN --mount=type=secret,id=BUILD_BASE BUILD_BASE="$(cat /run/secrets/BUILD_BASE)" pnpm run build

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chris-crone chris-crone chris-crone approved these changes

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes

@tiborvass tiborvass Awaiting requested review from tiborvass

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

8 participants

@tonistiigi @hinshun @avdhoot @shaaga @NatoBoram @tiborvass @chris-crone @AkihiroSuda