[lojack]

Curious what methods others use for handling secrets at build time (using docker-compose). I'm currently installing (private) dependencies at runtime by mounting my secrets as a volume. I couldn't find a method that didn't seem to have some risk of inadvertently exposing them.

[vkjv]

There are only methods that I'm aware of:

- Exposing the secrets on a (http) server that the Dockerfile can use to fetch

- What we use: Create a one time use secret that is destroyed after the image is built and before it is pushed.

[djstein]

>What we use: Create a one time use secret that is destroyed after the image is built and before it is pushed.

This approach has sparked my interest, could you post an example of any open source docker-compose file and/or associated scripts that would do this?

[lojack]

I did actually encounter this solution while researching the problem, didn't love it, but you can check out the solution at: https://github.com/docker/docker/issues/13490#issuecomment-1...

As long as you add the file and remove it in the same command it doesn't get committed as an extra layer, so the container won't have any history of the secrets. You'll run into problems if you do multiple RUN's or an ADD and then RUN.

[cpuguy83]

Stay tuned for `docker build` support for secrets, and more secret backends in later versions.