Reputation: 369
Should I use user-secrets or environment variables with docker
When using docker with asp.net core for development, should I use user-secrets or environment variables? I am using the default docker file that Visual Studio 2017 creates when adding a project, which uses microsoft/aspnetcore:1.1 and I believe is a linux image.
How do I set the user-secrets/environment variables in docker so they are set when it launches, but aren't included in the source code?
Upvotes: 22
Views: 20945
Answers (4)
Reputation: 15236
For Development I rely on .net secret manager tool:
- use dotnet user-secrets to store secrets on the local computer
dotnet user-secrets init
dotnet user-secrets set "Movies:ServiceApiKey" "12345"
..
See MS docs: Safe storage of app secrets in development in ASP.NET Core.
- mount the local folder with secrets to Docker container
Example for Docker:
docker run ^
-e ASPNETCORE_ENVIRONMENT=Development ^
-v %APPDATA%/Microsoft/UserSecrets:/root/.microsoft/usersecrets:ro ^
company/image:latest
Example for docker-compose:
version: "3.8"
..
net_core_service:
..
environment:
# should be defined Development-env to allow loading user-secrets located on the local computer.
- ASPNETCORE_ENVIRONMENT=Development
..
volumes:
# map the dotnet user-secret folder
- $APPDATA/Microsoft/UserSecrets:/root/.microsoft/usersecrets:ro
..
..
Upvotes: 18
Reputation: 6806
Environment vars are better - https://12factor.net/config
If you run docker using docker run use -e or --env-file option:
https://docs.docker.com/engine/reference/run/#env-environment-variables
If you run docker using docker-compose use environment or env_file key:
https://docs.docker.com/compose/environment-variables/
Upvotes: 7
Reputation: 369
Instead of using user-secrets or environment variables, I decided to add another appsettings file called appsettings.secrets.json. And then in the constructor add the file like the other appsettings files:
var builder = new ConfigurationBuilder()
.SetBasePath(env.ContentRootPath)
.AddJsonFile("appsettings.json", optional: true, reloadOnChange: true)
.AddJsonFile("appsettings.secrets.json", optional: true, reloadOnChange: true)
.AddJsonFile($"appsettings.{env.EnvironmentName}.json", optional: true)
.AddEnvironmentVariables();
Just be sure to add the appsettings.secrets.json to the .gitignore file so it isn't added to source control. User-secrets and environment variables can still be used.
Upvotes: 3
Reputation: 49799
For the production purpose, you need to use environment variables, not use-secrets. Secrets exist ONLY for safe storage during development by helping prevent sensitive data from being storing in code / checked into source control:
The Secret Manager tool does not encrypt the stored secrets and should not be treated as a trusted store. It is for development purposes only. The keys and values are stored in a JSON configuration file in the user profile directory.
As alternative to environment variables you may consider using "external" key-value storages, like Consul, Vault, etc.
Regarding environment variables in docker, SO already has related questions/answers. See How to pass environment variables to docker containers? as example.
Upvotes: 8
Related Questions
- Docker secrets passing as environment variable
- Cannot access to secrets .net core with Docker
- passing docker environment variables to .net core
- Can not pass (or read) environment variables from docker + .net core
- Why is Docker Secrets more secure than environment variables?
- Dotnet Core Docker Environment Variables
- .NET Core in Linux not reading environment variable
- ASP.NET Core Docker environment variables if apply migration
- How can I use secrets during docker build?
- Passing environment variables to application in a Docker container through docker-compose