Consume secret inside dockerfile

Question

Is it possible to access machine environments inside dockerfile? I was thinking passing the SECRET as build ARG, like so:

docker-compose:

version: '3.5'
services:
  service:
    ...
    build:
      ...
      args:
        SECRET: ${SECRET}
    ...

dockerfile:

FROM image
ARG SECRET
RUN script-${SECRET}

Note: the container is build in kubernetes, I can not pass any arguments to the build command or perform any command at all.

Edit 1: It is okay to pass SECRET as ARG because this is not sensitive data. I'm using SECRETS to access micro service data, and I can only store data using secrets. Think of this as machine environment.

Edit 2: This was not a problem with docker but with the infrastructure that I was working with which does not allow any arguments to be passed to the docker build.

Answer 1

The secrets should be used during run time and provided by execution environment.

Also everything that is executing during a container build is written down as layers and available later to anyone who is able to get access to an image. That's why it's hard to consume secrets during the build in a secure way.

In order to address this, Docker recently introduced a special option --secret. To make it work, you will need the following:

1. Set environment variable DOCKER_BUILDKIT=1

2. Use the --secret argument to docker build command

   DOCKER_BUILDKIT=1 docker build --secret id=mysecret,src=mysecret.txt...

3. Add a syntax comment to the very top of your Docker file

   # syntax = docker/dockerfile:1.0-experimental

4. Use the --mount argument to mount the secret for every RUN directive that needs it

RUN --mount=type=secret,id=mysecret cat /run/secrets/mysecret

Please note that this needs Docker version 18.09 or later.