Docker build command using Buildkit secrets fails in Gitlab

Question

My Dockerfile (somewhat redacted here) looks like this:

FROM python:3.9.9-slim-bullseye

WORKDIR /tmp


RUN --mount=type=secret,id=token echo "$(cat /run/secrets/token)" >> /tmp/token

COPY entrypoint.sh /
ENTRYPOINT [ "/entrypoint.sh" ]

Now, when I run the following docker build command:

DOCKER_BUILDKIT=1 docker build --progress=plain --secret id=token,src=$TOKEN -f Dockerfile .

in a gitlab job, it fails with the error:

could not parse secrets: [id=token,src=xyz]: failed to stat xyz: stat xyz: no such file or directory

I tried to replace "src" with "env", but I get the following error:

could not parse secrets: [id=token,env=xyz]: unexpected key 'env' in 'env=xyz'

I've tried setting # syntax=docker/dockerfile:1.2 at the top of dockerfile, but still no luck. The exact same command works on my workstation, it's only on Gitlab that it isn't working.

Not sure what I'm missing here.

Answer 1

The documentation for --secret is not very clear for using environment variables. Especially when using Powershell on Windows and/or not mapping the secret name to the environment variable key, it can be surprising (but ultimately convenient) that this works in a cross-platform way rather than with native environment variable expansion.

The correct full syntax is docker build --secret id={id used in Dockerfile},env={key of environment variable}

For example, if you have the environment variable key-value pair:

HELLO=world

and you reference this as a secret named greeting:

RUN --mount=type=secret,id=greeting \
    GREETING=$(cat /run/secrets/greeting) echo "${GREETING:?}"

The correct docker invocation would be:

docker build --secret id=greeting,env=HELLO

This will keep the environment variable access inside the docker process rather than interpolate it into the shell commands which may be a leak vector if your shell is capturing and logging all of the IO.