Hi, I’m using a simple docker host setup (no swarm etc. involed) and I have the need to pass secrets to my docker build
command so they can be used inside a “RUN” command. I’m following this guide: https://docs.docker.com/develop/develop-images/build_enhancements/#new-docker-build-secret-information
I do have the DOCKER_BUILDKIT flag set and the experimental Dockerfile syntax is also enabled.
The build call looks like
docker build --secret id=USERNAME,src=username.txt --secret id=PASSWORD,src=password.txt .
The first lines of my Dockerfile are running as user root
and the secrets are available there:
RUN --mount=type=secret,id=USERNAME --mount=type=secret,id=PASSWORD \
echo "The following secrects are available:" && \
ls -lha /run/secrets/ && \
echo -n "Username: " && cat /run/secrets/USERNAME
However, later steps (including downloading software and reacting login tokens for them) are being run as another user. For them, the secret files are not readable (since their permissions are -r-------- 1 root root
). I’ve also tried running chown
or chmod
on them (when still running as root). That fails, because of read-only file system
.
Copying the content to somewhere else (as root) or saving in an ENV var makes the secret-mechanism pointless.
Is there a way to allow non-root users to read the content of those files?
I’d be happy for a solution