Can't read secret environment variable in Docker container during build/run

the_dude · July 14, 2020, 10:27pm

Can not get these passed through for the life of me. Have tried every possible way I can find online. Only way this has worked is to have them assigned explicitly in the Dockerfile which I obviously don’t want to do.

Depending on method implemented I either get a runtime error during the image build(last step during webpack --mode production tasks). or I will get an Argument Error upon attempting to run container b/c SECRET_KEY_BASE isn’t assigned.
’
in a docker-compose.yml file I have tried:

env_file: .env.
I also tried assigning them individually in yml like below after exporting each one in terminal and also trying source .env .

environment:
  - SECRET_KEY: ${SECRET_KEY}

have tried above w/ my own Dockerfile and also using method and file in the release guide in the phoenix docs; in which case it builds successfully but i get an error when starting container and it exits.

If i run docker-compose config the Environment variables are shown as being set but, they are not being accessed for some reason???

I can provide files if needed.

TL:DR
env vars are either readable during build and not runtime or during runtime and not build. never both unless I explicitly assign in Dockerfile

mpope · July 15, 2020, 12:17am

Are you following the format definition of env files? Specifically, no spaces around the assignment, KEY=VALUE?

It also needs to be ASCII encoded. Not unicode.

shanesveller · July 15, 2020, 3:26am

None of these attempted approaches above supply those environment variables at build time, they are only at container runtime.

Your best bet if you’re on a recent enough (~2yo or newer) Docker version is to enable BuildKit support and use its native, first-class build-time secrets support. This ensures that the secret itself is not baked into your resulting image, which is a risk for most of the straightforward ways to do this with legacy Dockerfile syntax. Observe, for example, that the documentation for ARG explicitly recommends against using it for secrets of any kind.

the_dude · July 15, 2020, 3:54am

yeah. no issues there. all was well.

Exadra37 · July 15, 2020, 9:05am

When you want to pass values to the Dockerfile you are looking to use Build Arguments:

Add build arguments, which are environment variables accessible only during the build process.

First, specify the arguments in your Dockerfile:
ARG buildno
ARG gitcommithash

RUN echo "Build number: $buildno"
RUN echo "Based on commit: $gitcommithash"
Then specify the arguments under the build key. You can pass a mapping or a list:
build:
 context: .
 args:
   buildno: 1
   gitcommithash: cdc3b19
build:
 context: .
 args:
   - buildno=1
   - gitcommithash=cdc3b19

the_dude · July 16, 2020, 2:52am

Your best bet if you’re on a recent enough (~2yo or newer) Docker version is to enable BuildKit support and use its native, first-class build-time secrets support.

Thanks! right there in the guide…I saw the docs for secrets in swarm but obviously never found this. I messed with last night and got it working so thank you.

Looks like dealing w/ secrets has been a pain point in docker for a while though it seems fro everything i ran across while searching. lots of work arounds to try and keep them from showing up it seems.

This ensures that the secret itself is not baked into your resulting image, which is a risk for most of the straightforward ways to do this with legacy Dockerfile syntax.

Thanks. was wondering about this too.

appreciate. new to docker so it’s been fun/frustrating learning at times.