How to idiomatically access sensitive data when building a Docker image?

Sometimes there is a need to use sensitive data when building a Docker image. For example, an API token or SSH key to download a remote file or to install dependencies from a private repository. It may be desirable to distribute the resulting image and leave out the sensitive credentials that were used to build it. How can this be done?

I have seen docker-squash which can squash multiple layers in to one, removing any deleted files from the final image. But is there a more idiomatic approach?

  • Can several nodes access mounted docker containers
  • Docker container for SQL Server Linux keeps exiting
  • Why can docker images not be merged?
  • Is it possible to use a Dockerfile not named “Dockerfile” with CircleCI?
  • Can't run gdbserver in a Docker container for the Visual C++ for Linux Development
  • Cassandra inside Docker
  • Running MongoDB and Redis on two different containers in the same host machine
  • Docker - is it necessary to push images to remote server?
  • How do I point a docker image to my .m2 directory for running maven in docker on a mac?
  • Docker container transfer using LFS properties
  • Jenkins and running rake tasks
  • Robot Framework and CI, run in container or not
  • 3 Solutions collect form web for “How to idiomatically access sensitive data when building a Docker image?”

    Regarding idiomatic approach, I’m not sure, although docker is still quite young to have too many idioms about.

    We have had this same issue at our company, however. We have come to the following conclusions, although these are our best efforts rather than established docker best practices.

    1) If you need the values at build time: Supply a properties file in the build context with the values that can be read at build, then the properties file can be deleted after build. This isn’t as portable but will do the job.

    2) If you need the values at run time: Pass values as environment variables. They will be visible to someone who has access to ps on the box, but this can be restricted via SELinux or other methods (honestly, I don’t know this process, I’m a developer and the operations teams will deal with that part).

    The way we solve this issue is that we have a tool written on top of docker build. Once you initiate a build using the tool, it will download a dockerfile and alters it. It changes all instructions which require “the secret” to something like:

    RUN printf "secret: asd123poi54mnb" > /somewhere && tool-which-uses-the-secret run && rm /somewhere
    

    However, this leaves the secret data available to anyone with access to the image unless the layer itself is removed with a tool like docker-squash. The command used to generate each intermediate layer can be found using the history command

    Matthew Close talks about this in this block article.

    Summarized: You should use docker-compose to mount sensitive information into the container.

    Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.