Docker Community Forums

Share and learn in the Docker community.

Secrets passed to "docker build" (using Buildkit) are only accessible to root user

Hi, I’m using a simple docker host setup (no swarm etc. involed) and I have the need to pass secrets to my docker build command so they can be used inside a “RUN” command. I’m following this guide: https://docs.docker.com/develop/develop-images/build_enhancements/#new-docker-build-secret-information

I do have the DOCKER_BUILDKIT flag set and the experimental Dockerfile syntax is also enabled.

The build call looks like

docker build --secret id=USERNAME,src=username.txt --secret id=PASSWORD,src=password.txt .

The first lines of my Dockerfile are running as user root and the secrets are available there:

RUN --mount=type=secret,id=USERNAME --mount=type=secret,id=PASSWORD \
	echo "The following secrects are available:" && \
	ls -lha /run/secrets/ && \
	echo -n "Username: " && cat /run/secrets/USERNAME

However, later steps (including downloading software and reacting login tokens for them) are being run as another user. For them, the secret files are not readable (since their permissions are -r-------- 1 root root). I’ve also tried running chown or chmod on them (when still running as root). That fails, because of read-only file system.
Copying the content to somewhere else (as root) or saving in an ENV var makes the secret-mechanism pointless.
Is there a way to allow non-root users to read the content of those files?
I’d be happy for a solution :slight_smile:

I’m using this approach for now: https://pythonspeed.com/articles/docker-build-secrets/ so I’ve switched back from BuildKit.
It would, however, still be good to have an more or less official statement on this. Thanks :slight_smile: