CODEWITHSUNDEEP
dockerdocker-composeaws-secrets-manageraws-parameter-store
overexchange
overexchange

Reputation: 1

How to maintain secrets used in Dockerfile?

Below is the snippet of docker-compose file having passwords:

test:
  build: ../../
  dockerfile: docker/dev/Dockerfile
  volumes_from:
    - cache
  links:
    - db
  environment:
    DJANGO_SETTINGS_MODULE: todobackend.settings.test
    MYSQL_HOST: db
    MYSQL_USER: root
    MYSQL_PASSWORD: password
    TEST_OUTPUT_DIR: /reports

db:
  image: mysql:5.6
  hostname: db
  expose:
    - "3386"
  environment:
    MYSQL_ROOT_PASSWORD: password

Running this file in AWS environment,

Can be using KMS storing in s3 and another approach is AWS parameter store

When building dockerfile and launching containers using docker-compose, How to maintain secrets safely, without exposing it to text files? any code snippet...

Upvotes: 7

Views: 4820

Answers (2)

JoeB
JoeB

Reputation: 1623

You can use the integration between ECS and Secrets Manager to put the references to the secrets stored in Secrets Manager in the ECS task definition and then reference them as environment varialbles. The ECS docs provide a short tutorial on this (and there are more elaborate blog posts).

Upvotes: 2

asolanki
asolanki

Reputation: 1373

Can think of few possible approaches.

  1. Store the secret in environment variable reference the environment variable in your compose file like this
environment:
  RACK_ENV: development
  SHOW: 'true'
  SESSION_SECRET:

The keys without any value are resolved to their values on the machine.

Another approach could be to use docker secret. Create the secret

$ printf "This is a secret" | docker secret create db_password -

If its a file it can be saved like

$docker secret create site.key site.key

Access the secret in your compose as below

version: '3.1'

services:
   db:
     image: mysql:latest
     volumes:
       - db_data:/var/lib/mysql
     environment:
       MYSQL_ROOT_PASSWORD_FILE: /run/secrets/db_root_password
       MYSQL_DATABASE: wordpress
       MYSQL_USER: wordpress
       MYSQL_PASSWORD_FILE: /run/secrets/db_password
     secrets:
       - db_root_password
       - db_password

The secret is available on /run/secrets folder.

If you commit the container the secrets are not included.

Upvotes: 1

Related Questions