Access secret from application in Windows container

Actual context is Docker Enterprise running on Windows Server 2019. I don’t see a consistent answer for this in the Docker documentation or in the forums.

I need to pass an application key to a microservice running in a Windows container. The container was based on Windows nano (so no Powershell). The logical solution would be to use Docker secrets … except the the application can’t read the secret. I can only read the secret if I use “docker exec -it --user ContainerAdministrator 8528f64a022e cmd.exe”; then “type C:\ProgramData\Docker\secrets\search_credentials” prints the contents.

The core of the issue appears to be this from Manage sensitive data with Docker secrets - Windows Support:

When creating a service which uses Windows containers, the options to specify UID, GID, and mode are not supported for secrets. Secrets are currently only accessible by administrators and users with system access within the container.

Is it true that my application cannot access the contents of the secret without running with elevated permissions?

Expected behavior

The application can read the contents of C:\ProgramData\Docker\secrets\search_credentials.

Actual behavior

The application cannot read the contents.

Information

  • the output of:
    • DockerDebugInfo.ps1 using Powershell on Windows
PS C:\independence> DockerDebugInfo.ps1
DockerDebugInfo.ps1 : The term 'DockerDebugInfo.ps1' is not recognized as the name of a cmdlet, function, script file,
or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and
try again.
At line:1 char:1
+ DockerDebugInfo.ps1
+ ~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (DockerDebugInfo.ps1:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

Perhaps more helpful:

PS C:\independence> docker version
Client: Docker Engine - Enterprise
 Version:           18.09.8
 API version:       1.39
 Go version:        go1.10.8
 Git commit:        90e30bdf98
 Built:             07/16/2019 17:13:22
 OS/Arch:           windows/amd64
 Experimental:      false

Server: Docker Engine - Enterprise
 Engine:
  Version:          18.09.8
  API version:      1.39 (minimum version 1.24)
  Go version:       go1.10.8
  Git commit:       90e30bdf98
  Built:            07/16/2019 17:11:04
  OS/Arch:          windows/amd64
  Experimental:     false

Extracts from docker-compose.yml:

version: "3.3"
networks:
  localnet:
secrets:
  search_credentials:
    external: true
services:
  myservice:
    image: my_service
    deploy:
      replicas: 1
      restart_policy:
        condition: on-failure
    environment:
      SEARCH_INDEX_ALPHA: index_alpha
    ports:
      - target: 6802
        published: 6802
        protocol: tcp
        mode: host
    secrets:
      - search_credentials
    networks:
      - localnet

For comparison …

Running PS C:\independence> docker exec -it 8528f64a022e cmd.exe:

C:\service>type C:\ProgramData\Docker\secrets\search_credentials
Access is denied.

Running PS C:\independence> docker exec -it --user ContainerAdministrator 8528f64a022e cmd.exe:

C:\service>type C:\ProgramData\Docker\secrets\search_credentials
{"ApplicationID": "XXXX", "ApiKey": "YYYY"}