Mounting secrets is done by buildkit which doesn’t seem to be supported by docker-py:

A little explanation what I think why it is not supported:

The legacy builder without buildkit just ran simple Docker containers for each instruction in the Dockerfile. Buildkit does not run Docker containers. As far as I know it runs containers directly with the low level container runtime called runc. So it is not something you would easily handle through the Docker API to which you connect with the Python SDK for Docker.

So when you got the error message when calling client.secrets.create it was from the Docker API. 503 Server error is just a standard HTTP server error code and message. It doesn’t mean there is an additional server where the secrets are stored. You just manage secrets through the Docker API.

But secrets are supported by Docker Swarm and there is some support for secrets in Docker Compose as well, but it is probably not managable through the Docker API without Swarm mode.

When you mount a secret using buildkit - and this is the point where I’m guessing - buildkit could mount the additional file into the root filesystem used by runc. At least this is how I imagine it.