Actual context is Docker Enterprise running on Windows Server 2019. I don’t see a consistent answer for this in the Docker documentation or in the forums.
I need to pass an application key to a microservice running in a Windows container. The container was based on Windows nano (so no Powershell). The logical solution would be to use Docker secrets … except the the application can’t read the secret. I can only read the secret if I use “docker exec -it --user ContainerAdministrator 8528f64a022e cmd.exe”; then “type C:\ProgramData\Docker\secrets\search_credentials” prints the contents.
The core of the issue appears to be this from Manage sensitive data with Docker secrets - Windows Support:
When creating a service which uses Windows containers, the options to specify UID, GID, and mode are not supported for secrets. Secrets are currently only accessible by administrators and users with
system
access within the container.
Is it true that my application cannot access the contents of the secret without running with elevated permissions?
Expected behavior
The application can read the contents of C:\ProgramData\Docker\secrets\search_credentials.
Actual behavior
The application cannot read the contents.
Information
- the output of:
DockerDebugInfo.ps1
using Powershell on Windows
PS C:\independence> DockerDebugInfo.ps1
DockerDebugInfo.ps1 : The term 'DockerDebugInfo.ps1' is not recognized as the name of a cmdlet, function, script file,
or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and
try again.
At line:1 char:1
+ DockerDebugInfo.ps1
+ ~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (DockerDebugInfo.ps1:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
Perhaps more helpful:
PS C:\independence> docker version
Client: Docker Engine - Enterprise
Version: 18.09.8
API version: 1.39
Go version: go1.10.8
Git commit: 90e30bdf98
Built: 07/16/2019 17:13:22
OS/Arch: windows/amd64
Experimental: false
Server: Docker Engine - Enterprise
Engine:
Version: 18.09.8
API version: 1.39 (minimum version 1.24)
Go version: go1.10.8
Git commit: 90e30bdf98
Built: 07/16/2019 17:11:04
OS/Arch: windows/amd64
Experimental: false
Extracts from docker-compose.yml:
version: "3.3"
networks:
localnet:
secrets:
search_credentials:
external: true
services:
myservice:
image: my_service
deploy:
replicas: 1
restart_policy:
condition: on-failure
environment:
SEARCH_INDEX_ALPHA: index_alpha
ports:
- target: 6802
published: 6802
protocol: tcp
mode: host
secrets:
- search_credentials
networks:
- localnet
For comparison …
Running PS C:\independence> docker exec -it 8528f64a022e cmd.exe
:
C:\service>type C:\ProgramData\Docker\secrets\search_credentials
Access is denied.
Running PS C:\independence> docker exec -it --user ContainerAdministrator 8528f64a022e cmd.exe
:
C:\service>type C:\ProgramData\Docker\secrets\search_credentials
{"ApplicationID": "XXXX", "ApiKey": "YYYY"}