How to read external secrets when using docker-compose

Question

I wonder how can i pass external secrets into services spawned by docker-compose. I do the following:

I create new secret

printf "some secret value goes here" | docker secret create wallet_password -

My docker-compose.yml:

version: "3.4"
services:
  test:
    image: alpine
    command: 'cat /run/secrets/wallet_password'
    secrets: 
    - wallet_password

secrets:
  wallet_password:
    external: true

Then I run:

docker-compose -f services/debug/docker-compose.yml up -d --build

and

docker-compose -f services/debug/docker-compose.yml up

I get the following response:

WARNING: Service "test" uses secret "wallet_password" which is external. External secrets are not available to containers created by docker-compose.
WARNING: The Docker Engine you're using is running in swarm mode.

Compose does not use swarm mode to deploy services to multiple nodes in a swarm. All containers will be scheduled on the current node.

To deploy your application across the swarm, use `docker stack deploy`.

Starting debug_test_1 ...
Starting debug_test_1 ... done
Attaching to debug_test_1
test_1  | cat: can't open '/run/secrets/wallet_password': No such file or directory

Sooo.... is there any way of passing external secret into container spawned by docker-compose?

Answer 1

You need to run a swarm. This is how it goes:

Create a swarm:

docker swarm init

Create your secrets (as many as you need):

docker secret create <secret_name> <secret_content>

Check all the available secrets with:

docker secret ls

Now, use the docker-compose as precursor for the service:

docker stack deploy --compose-file <path_to_compose> <service_name>

Be aware that you'll find your secrets in a plain text file located at /run/secrets/<secret_name>.

Answer 2

Nope.

External secrets are not available to containers created by docker-compose.

The error message sums it up pretty nicely. Secrets are a swarm mode feature, the secret is stored inside of the swarm manager engine. That manager does not expose those secrets to externally launched containers. Only swarm services with the secret can run containers with the secret loaded.

You can run a service in swarm mode that extracts the secret since it's just a file inside the container and the application inside the container can simply cat out the file contents. You can also replicate the functionality of secrets in containers started with compose by mounting a file as a volume in the location of the secret. For that, you'd want to have a separate compose file since the volume mount and secret mount would conflict with each other.