Using secret multiple times in a Dockerfile is a nuisance

natdose · September 10, 2025, 3:51pm

The basic idea of secrets is great - thanks! - but they can be a nuisance:

I have many RUN steps in my Dockerfile that all need the same secret. Instead of declaring one ARG at the top of the Dockerfile, I know have to repeat the secret all over the place, making for some pretty distracting noise. See excerpt below.

Also, b/c of this, the --progress=tty option to docker build becomes unusable - unless I have an absolutely gigantic terminal width, the actual command for the RUN steps will be truncated from docker build’s output, and the available width will be used up by the relatively unimportant flags dealing with the secret setup. ( --progress=plain is so verbose in my case that it’s equally unusable)

Docker bake is not an option, and combining the steps into one RUN command via the shell && operator is not a clean solution IMO.

RUN --mount=type=secret,id=AWS_ACCESS_KEY_ID,env=AWS_ACCESS_KEY_ID \
    --mount=type=secret,id=AWS_SECRET_ACCESS_KEY,env=AWS_SECRET_ACCESS_KEY \
    step1
RUN --mount=type=secret,id=AWS_ACCESS_KEY_ID,env=AWS_ACCESS_KEY_ID \
    --mount=type=secret,id=AWS_SECRET_ACCESS_KEY,env=AWS_SECRET_ACCESS_KEY \
    step2
RUN --mount=type=secret,id=AWS_ACCESS_KEY_ID,env=AWS_ACCESS_KEY_ID \
    --mount=type=secret,id=AWS_SECRET_ACCESS_KEY,env=AWS_SECRET_ACCESS_KEY \
    step3
...

rimelek · September 10, 2025, 9:54pm

You don’t have to use && . Even official images use shell options like this:

github.com/docker-library/httpd

2.4/Dockerfile

684a447a2


      
          #RUN groupadd -r www-data && useradd -r --create-home -g www-data www-data
          
          ENV HTTPD_PREFIX /usr/local/apache2
          ENV PATH $HTTPD_PREFIX/bin:$PATH
          RUN mkdir -p "$HTTPD_PREFIX" \
          	&& chown www-data:www-data "$HTTPD_PREFIX"
          WORKDIR $HTTPD_PREFIX
          
          # install httpd runtime dependencies
          # https://httpd.apache.org/docs/2.4/install.html#requirements
          RUN set -eux; \
          	apt-get install --update -y --no-install-recommends \
          # https://github.com/docker-library/httpd/issues/214
          		ca-certificates \
          		libaprutil1-ldap \
          # https://github.com/docker-library/httpd/issues/209
          		libldap-common \
          	; \
          	apt-get dist-clean
          
          ENV HTTPD_VERSION 2.4.65

It still uses backslashes, but you can avoid those if using the heredoc syntax

https://docs.docker.com/reference/dockerfile/#here-documents

# syntax=docker/dockerfile:1
FROM debian
RUN <<EOT bash
  set -ex
  apt-get update
  apt-get install -y vim
EOT

Regarding progress formats, I understand the problem and a more compact format could be a feature request, but I wrote script that shows only the logs. It is based on the “rawjson” output format

docker buildx build --secret id=aws,src=test.txt . -t localhost/test \
  --progress rawjson --no-cache &>/dev/stdout \
  | jq -r '.logs | select(. != null) | .[].data' \
  | base64 -d

You could use something like this and with a more complex jq filter you could also include other metadata as well if needed. It is just for demonstrating the rawjson format. Here is my output:

Collecting awscli
  Downloading awscli-1.42.28-py3-none-any.whl.metadata (11 kB)
Collecting botocore==1.40.28 (from awscli)
  Downloading botocore-1.40.28-py3-none-any.whl.metadata (5.7 kB)
Collecting docutils<=0.19,>=0.18.1 (from awscli)
  Downloading docutils-0.19-py3-none-any.whl.metadata (2.7 kB)
Collecting s3transfer<0.15.0,>=0.14.0 (from awscli)
  Downloading s3transfer-0.14.0-py3-none-any.whl.metadata (1.7 kB)
Collecting PyYAML<6.1,>=3.10 (from awscli)
  Downloading PyYAML-6.0.2-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl.metadata (2.1 kB)
Collecting colorama<0.4.7,>=0.2.5 (from awscli)
  Downloading colorama-0.4.6-py2.py3-none-any.whl.metadata (17 kB)
Collecting rsa<4.8,>=3.1.2 (from awscli)
  Downloading rsa-4.7.2-py3-none-any.whl.metadata (3.6 kB)
Collecting jmespath<2.0.0,>=0.7.1 (from botocore==1.40.28->awscli)
  Downloading jmespath-1.0.1-py3-none-any.whl.metadata (7.6 kB)
Collecting python-dateutil<3.0.0,>=2.1 (from botocore==1.40.28->awscli)
  Downloading python_dateutil-2.9.0.post0-py2.py3-none-any.whl.metadata (8.4 kB)
Collecting urllib3!=2.2.0,<3,>=1.25.4 (from botocore==1.40.28->awscli)
  Downloading urllib3-2.5.0-py3-none-any.whl.metadata (6.5 kB)
Collecting six>=1.5 (from python-dateutil<3.0.0,>=2.1->botocore==1.40.28->awscli)
  Downloading six-1.17.0-py2.py3-none-any.whl.metadata (1.7 kB)
Collecting pyasn1>=0.1.3 (from rsa<4.8,>=3.1.2->awscli)
  Downloading pyasn1-0.6.1-py3-none-any.whl.metadata (8.4 kB)
Downloading awscli-1.42.28-py3-none-any.whl (4.7 MB)
   ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 4.7/4.7 MB 30.1 MB/s  0:00:00
Downloading botocore-1.40.28-py3-none-any.whl (14.0 MB)
   ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 14.0/14.0 MB 55.9 MB/s  0:00:00
Downloading colorama-0.4.6-py2.py3-none-any.whl (25 kB)
Downloading docutils-0.19-py3-none-any.whl (570 kB)
   ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 570.5/570.5 kB 39.6 MB/s  0:00:00
Downloading jmespath-1.0.1-py3-none-any.whl (20 kB)
Downloading python_dateutil-2.9.0.post0-py2.py3-none-any.whl (229 kB)
Downloading PyYAML-6.0.2-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl (733 kB)
   ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 733.4/733.4 kB 60.3 MB/s  0:00:00
Downloading rsa-4.7.2-py3-none-any.whl (34 kB)
Downloading s3transfer-0.14.0-py3-none-any.whl (85 kB)
Downloading urllib3-2.5.0-py3-none-any.whl (129 kB)
Downloading pyasn1-0.6.1-py3-none-any.whl (83 kB)
Downloading six-1.17.0-py2.py3-none-any.whl (11 kB)
Installing collected packages: urllib3, six, PyYAML, pyasn1, jmespath, docutils, colorama, rsa, python-dateutil, botocore, s3transfer, awscli

Successfully installed PyYAML-6.0.2 awscli-1.42.28 botocore-1.40.28 colorama-0.4.6 docutils-0.19 jmespath-1.0.1 pyasn1-0.6.1 python-dateutil-2.9.0.post0 rsa-4.7.2 s3transfer-0.14.0 six-1.17.0 urllib3-2.5.0
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager, possibly rendering your system unusable. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv. Use the --root-user-action option if you know what you are doing and want to suppress this warning.
NOthing

If you want to ask for a feature, you can do it in the roadmap

natdose · September 12, 2025, 8:55am

Thanks for the feedback. I should’ve been more specific - it’s not just the shell && operator but any sort of combining multiple steps into one RUN command is not a good option for us. Doing this would a) ruin intermediate layer caching and b) make parallelization (multi-stage) difficult/impossible. We’re building different software packages in all the various RUN steps - so both those features are important.
I’ve requested a feature as you mentioned, let’s see what becomes of it. I’ll try out the json log parsing if we get too drowned in the output from --progress-plain - thanks

rimelek · September 12, 2025, 8:58am

Thank you for creating the feature request. I share the link here so anyone can find it easily who would like to join the converstation there

github.com/docker/roadmap

Using secret multiple times in a Dockerfile is a nuisance

opened 01:04PM - 11 Sep 25 UTC

natdose

community_new docker_desktop

**Tell us about your request** Using secret multiple times in a Dockerfile is a …nuisance **Which service(s) is this request for?** buildx (Dockerfiles) **Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?** Secrets are a great 1st step - but they can be a giant nuisance: I have many `RUN` steps in my Dockerfile that all need the same secret. Instead of declaring one single `ARG` at a suitable place in the Dockerfile, I know have to repeat the secret all over the place. See simplified example below. Also, b/c of this, the `--progress=tty` option to `docker build` becomes unusable - unless I have an absolutely gigantic terminal width, the actual name of the step will be truncated from docker build's output, and I will only see the relatively unimportant flags dealing with the secret setup. Docker bake is not an option for us, and combining the steps into one `RUN` command via the shell mechanisms like the `&&` operator or Here-docs is not a clean solution IMO b/c it will do things like prevent layer caching and parallel build stages (in our case we're compiling dozens of things, each with their own `RUN` step). That's the problem description. A simple solution from my naive standpoint would be to have Dockerfile-wide secrets, similar to `ARG`. IIUC the secrets are secure, so I wouldn't expect there to be a problem if a secret gets mounted in a `RUN` step that doesn't need it. ----- ``` RUN --mount=type=secret,id=AWS_ACCESS_KEY_ID,env=AWS_ACCESS_KEY_ID \ --mount=type=secret,id=AWS_SECRET_ACCESS_KEY,env=AWS_SECRET_ACCESS_KEY \ step1 RUN --mount=type=secret,id=AWS_ACCESS_KEY_ID,env=AWS_ACCESS_KEY_ID \ --mount=type=secret,id=AWS_SECRET_ACCESS_KEY,env=AWS_SECRET_ACCESS_KEY \ step2 RUN --mount=type=secret,id=AWS_ACCESS_KEY_ID,env=AWS_ACCESS_KEY_ID \ --mount=type=secret,id=AWS_SECRET_ACCESS_KEY,env=AWS_SECRET_ACCESS_KEY \ step3 ... ``` **Are you currently working around the issue?** For now, we're just living with the noise. We could think about parsing the output of `--progress=plain` or `--progress=rawjson` as mentioned here in the forum (https://forums.docker.com/t/using-secret-multiple-times-in-a-dockerfile-is-a-nuisance/149723?u=natdose) but this seems rather brittle. **Additional context** Add any other context or screenshots about the feature request here.

system · October 12, 2025, 8:59am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Build-time Secrets Feature Requests build	6	11902	July 13, 2017
Docker build secret General build	2	937	February 22, 2023
Build an image with password secret General build	3	120	July 26, 2024
Caching of secrets not wanted General build	2	325	May 3, 2024
Use private keys or secrets during build General	3	2754	March 28, 2016

Using secret multiple times in a Dockerfile is a nuisance

Related topics