Setting docker env var from build secret

Question

Is there a way to set environment variables from the new docker build enhancements?

Have tried

RUN --mount=type=secret,id=secret export SECRET=`/run/secrets/secret
RUN --mount=type=secret,id=secret ENV SECRET=`/run/secrets/secret

Both doesn't work. Or is setting secrets on environment variables on dockerfile bad? Since running docker history to the env var being set in plain text. If that's the case, what's the best way to set the env var as secured as possible?

Answer 1

To set a variable from a secret, you can use the $(cat /filename) syntax in shell. This affects the shell within that single step, so all of your uses of that variable need to be within the same step. You cannot extract a variable from a RUN step into an ENV step. If you need it to persist to other RUN steps, you would need to write the variable to the filesystem and have in included in the image, which is undesirable (instead just mount the secret a second time in the later RUN step).

Here's a working example, you could also export that secret with export secret_var:

$ cat df.secret
FROM busybox
RUN --mount=type=secret,id=secret \
    secret_var="$(cat /run/secrets/secret)" \
 && echo ${secret_var}

$ cat secret.txt
my_secret

$ docker build --progress=plain --secret id=secret,src=$(pwd)/secret.txt -f df.secret .
#1 [internal] load build definition from df.secret
#1 sha256:85a18e77d3e60159b744d6ee3d96908a6fed0bd4f6a46d038e2aa0201a1028de
#1 DONE 0.0s

#1 [internal] load build definition from df.secret
#1 sha256:85a18e77d3e60159b744d6ee3d96908a6fed0bd4f6a46d038e2aa0201a1028de
#1 transferring dockerfile: 152B done
#1 DONE 0.0s

#2 [internal] load .dockerignore
#2 sha256:a5a676bca3eaa2c757a3ae40d8d5d5e91b980822056c5b3b6c5b3169fc65f0f1
#2 transferring context: 49B done
#2 DONE 0.0s

#3 [internal] load metadata for docker.io/library/busybox:latest
#3 sha256:da853382a7535e068feae4d80bdd0ad2567df3d5cd484fd68f919294d091b053
#3 DONE 0.0s

#5 [1/2] FROM docker.io/library/busybox
#5 sha256:08a03f3ffe5fba421a6403c31e153425ced631d108868f30e04985f99d69326e
#5 DONE 0.0s

#4 [2/2] RUN --mount=type=secret,id=secret     secret=$(cat /run/secrets/secret)  && echo ${secret}
#4 sha256:6ef91a8a7daf012253f58dba292a0bd86af1d1a33a90838b6a99aba5abd4cfaf
#4 0.587 my_secret
#4 DONE 0.7s

#6 exporting to image
#6 sha256:e8c613e07b0b7ff33893b694f7759a10d42e180f2b4dc349fb57dc6b71dcab00
#6 exporting layers 0.0s done
#6 writing image sha256:a52db3458ad88481406cd60627e2ed6f55b6720c1614f65fa8f453247a9aa4de done
#6 DONE 0.0s

Note the line #4 0.587 my_secret showing the secret was output.