Hello,

I created a an image to run a powershell script for vmware.
I need to provide to this script a password. After reading I arrive to this setup :

dockerfile

# Utiliser l'image de base PowerCLI

FROM vmware/powerclicore

RUN mkdir -p /home/pwsh

COPY script.ps1 /home/pwsh/

WORKDIR /home/pwsh

RUN --mount=type=secret,id=vcsa

CMD [ "/usr/bin/pwsh", "/home/pwsh/script.ps1"]

Build the image :

DOCKER_BUILDKIT=1 docker build -t imagename . --secret id=vcsa,src=./secret

Source file secret contain my password.
But after starting the image it doesn’t have access to /run/secrets/<id>

Any idea on what I am missing ?

thanks

It does exactly what the documentations say it does: https://docs.docker.com/reference/dockerfile/#run---mounttypesecret

This mount type allows the build container to access secure files such as private keys without baking them into the image.

The mount of the secret is scoped to the RUN instruction and is not available when the RUN instruction ends. Thus, you don’t even use the secret.

Note: secrets do not belong into images, even more so if they will be published to a public container image registry.

Hello,

thank you so how can I pass this secret to my script during the build ? I’m a bit confuse.

Thanks

Something is missing… You already pass the secrets into your Dockerfile, and can already use it within the RUN instruction - but the thing is that you don’t do anything with it. The CMD is not(!) executed during image build, it is executed during container start.

FROM vmware/powerclicore

COPY script.ps1 /home/pwsh/
WORKDIR /home/pwsh

RUN --mount=type=secret,id=vcsa,target=/tmp/mysecret \
    pwsh ./script.ps1

Like this, the script.ps1 could access the file /tmp/mysecret (which has the content of your secret) during build time.