Version 3.1 of the docker-compose.yml specification introduces support for secrets.
I tried this:
version: '3.1'
services:
a:
image: tutum/hello-world
secret:
password: the_password
b:
image: tutum/hello-world
$ docker-compose up
returns:
Unsupported config option for services.secret: 'password'
How can we use the secrets feature in practice?
Defining Secrets in Compose Files The secret's value will be read from your working directory's db_password. txt file when you run docker-compose up . Compose will mount the file to /run/secrets/db_password within the container. Your app can access the database password by reading the contents of the secret file.
When you grant a newly-created or running service access to a secret, the decrypted secret is mounted into the container in an in-memory filesystem. The location of the mount point within the container defaults to /run/secrets/<secret_name> in Linux containers, or C:\ProgramData\Docker\secrets in Windows containers.
Yes, you can use secrets if you use a compose file. (You don't need to run a swarm). You use a compose file with docker-compose: there is documentation for "secrets" in a docker-compose. yml file.
You can read the corresponding section from the official documentation.
To use secrets you need to add two things into your docker-compose.yml
file. First, a top-level secrets:
block that defines all of the secrets. Then, another secrets:
block under each service that specifies which secrets the service should receive.
As an example, create the two types of secrets that Docker will understand: external secrets and file secrets.
docker secret create
First thing: to use secrets with Docker, the node you are on must be part of a swarm.
$ docker swarm init
Next, create an 'external' secret:
$ echo "This is an external secret" | docker secret create my_external_secret -
(Make sure to include the final dash, -
. It's easy to miss.)
$ echo "This is a file secret." > my_file_secret.txt
docker-compose.yml
file that uses both secretsNow that both types of secrets are created, here is the docker-compose.yml
file that will read both of those and write them to the web
service:
version: '3.1'
services:
web:
image: nginxdemos/hello
secrets: # secrets block only for 'web' service
- my_external_secret
- my_file_secret
secrets: # top level secrets block
my_external_secret:
external: true
my_file_secret:
file: my_file_secret.txt
Docker can read secrets either from its own database (e.g. secrets made with docker secret create
) or from a file. The above shows both examples.
Deploy the stack using:
$ docker stack deploy --compose-file=docker-compose.yml secret_test
This will create one instance of the web
service, named secret_test_web
.
Use docker exec -ti [container] /bin/sh
to verify that the secrets exist.
(Note: in the below docker exec
command, the m2jgac...
portion will be different on your machine. Run docker ps
to find your container name.)
$ docker exec -ti secret_test_web.1.m2jgacogzsiaqhgq1z0yrwekd /bin/sh
# Now inside secret_test_web; secrets are contained in /run/secrets/
root@secret_test_web:~$ cd /run/secrets/
root@secret_test_web:/run/secrets$ ls
my_external_secret my_file_secret
root@secret_test_web:/run/secrets$ cat my_external_secret
This is an external secret
root@secret_test_web:/run/secrets$ cat my_file_secret
This is a file secret.
If all is well, the two secrets we created in steps 1 and 2 should be inside the web
container that was created when we deployed our stack.
Given you have a service myapp
and a secrets file secrets.yml
:
Create a compose file:
version: '3.1'
services:
myapp:
build: .
secrets:
secrets_yaml
Provision a secret using this command:
docker secret create secrets_yaml secrets.yml
Deploy your service using this command:
docker deploy --compose-file docker-compose.yml myappstack
Now your app can access the secret file at /run/secrets/secrets_yaml
. You can either hardcode this path in your application or create a symbolic link.
The different question
This answer is probably to the question "how do you provision your secrets to your docker swarm cluster".
The original question "how do you manage secret values with docker compose" implies that the docker-compose file contains secret values. It doesn't.
There's a different question: "Where do you store the canonical source of the secrets.yml
file". This is up to you. You can store it in your head, print on a sheet of paper, use a password manager, use a dedicated secrets application/database. Heck, you can even use a git repository if it's safely secured itself. Of course, never store it inside the system you're securing with it :)
I would recommend vault. To store a secret:
# create a temporary secret file
cat secrets.yml | vault write secret/myappsecrets -
To retrieve a secret and put it into your docker swarm:
vault read -field=value secret/myappsecrets | docker secret create secrets_yaml -
Of course, you can use docker cluster itself as a single source of truth for you secrets, but if your docker cluster breaks, you'd lost your secrets. So make sure to have a backup elsewhere.
The question nobody asked
The third question (that nobody asked) is how to provision secrets to developers' machines. It might be needed when there's an external service which is impossible to mock locally or a large database which is impossible to copy.
Again, docker has nothing to do with it (yet). It doesn't have access control lists which specify which developers have access to which secrets. Nor does it have any authentication mechanism.
The ideal solution appears to be this:
docker secret create
commands and executes them in the terminal.We have yet to see if such an application pops up.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With