Docker Community Forums

Share and learn in the Docker community.

Does the file with my build secrets that's passed into build (via Buildkit's new --secret flag) need to be in the build context?

Can I have my secrets file anywhere locally, or does the secrets file need to be in the Build context to be used with Buildkit’s new --secret flag? Can’t find this documented online.

Afaik, passing the secret were introduced to no require the (secret) file in the context.

You might want to take a look at this blogpost: Don’t leak your Docker image’s build secrets

My read of the article is that the secret was introduced to avoid having secrets leaked in the image layers, not to let you access secrets outside of the build context. The article specifies whether /run/secrets/mysecret needs to be part of the build context or not (see screenshot above).

My question is whether the secret file can live outside of the build context or not.