Docker Community Forums

Share and learn in the Docker community.

Use Docker secret value inside docker-compose.yml configuration

We are using Docker swarm to deploy services. We would like to use Docker swarm secrets to store sensitive data (certificate passwords). Is it possible to use Docker secret value inside docker-compose.yml file? Docker client version is 20.10.6, Docker engine version is 19.03.12.

First, we create secret on the host:

printf 'ThisIsCertificatePassword123' | docker secret create CertificatePassword -

docker-compose.yml

version: "3.7"
services:
  web:
    image: myimage:0.0.1
    environment:
      ASPNETCORE_ENVIRONMENT: Production
      ASPNETCORE_URLS: https://+443;http://+80
      ASPNETCORE_HTTPS_PORT: 443
      ASPNETCORE_Kestrel__Certificates__Default__Password: # how can we use value of CertificatePassword here?
      ASPNETCORE_Kestrel__Certificates__Default__Path: /https/certificate.pfx
    deploy:
      replicas: 1

secrets:
  CertificatePassword:
    external: true

We deploy the stack with:

docker stack deploy -c docker-compose.yml MyApplication

How can we use value of Docker secret CertificatePassword inside docker-compose.yml (at ASPNETCORE_Kestrel__Certificates__Default__Password)?

Secrets can be either texts or file content that can be mapped into a file(!) in the container.
Your entrypoint script or your application will need to read the file and make it available wherever it’s needed.

You will need to add a secrets section to your web service, which specifies which secret (must exist in the global secrets section) to map into which file: see Compose file version 3 reference | Docker Documentation

if the target is a full qualified path, it will be mounted there, if it’s just a handle, the file will be mounted in /run/secrets/${whatever you specified as target}. In both cases the file will be mounted via tempfs.