Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to bring credentials into a Docker container during build

Tags:

I'm wondering whether there are best practices on how to inject credentials into a Docker container during a docker build. In my Dockerfile I need to fetch resources webservers which require basic authentication and I'm thinking about a proper way on how to bring the credentials into the container without hardcoding them.

What about a .netrc file and using it with curl --netrc ...? But what about security? I do no like the idea of having credentials being saved in a source repository together with my Dockerfile.

Is there for example any way to inject credentials using parameters or environment variables?

Any ideas?

like image 332
roehrijn Avatar asked May 31 '16 18:05

roehrijn


1 Answers

A few new Docker features make this more elegant and secure than it was in the past. The new multi-phase builds let us implement the builder pattern with one Dockerfile. This method puts our credentials into a temporary "builder" container, and then that container builds a fresh container that doesn't hold any secrets.

You have choices for how you get your credentials into your builder container. For example:

  • Use an environment variable: ENV creds=user:pass and curl https://[email protected]
  • Use a build-arg to pass credentials
  • Copy an ssh key into the container: COPY key /root/.ssh/id_rsa
  • Use your operating system's own secure credentials using Credential Helpers

Multi-phase Dockerfile with multiple FROMs:

## Builder
FROM alpine:latest as builder
#
# -- insert credentials here using a method above --
#
RUN apk add --no-cache git
RUN git clone https://github.com/some/website.git /html

## Webserver without credentials
FROM nginx:stable
COPY --from=builder /html /usr/share/nginx/html
like image 60
xer0x Avatar answered Oct 23 '22 13:10

xer0x