How do you install a private package securely with docker?

Question

I am trying to build a docker image with private repositories from AWS codecommit. But this issue is a problem for any repository management software you choose to use.

I am using SSH (or HTTPS, again this is a universal problem that I can't find a simple solution to) and my credentials cannot be stored on this docker image in any way because of security issues.

So, the question is, how do you install a private repository onto a docker image, without putting those credentials onto that docker image efficiently?

Answer 1

Use multi-stage builds. The credentials will only be part of the first stage, but the final image will not contain any of the credentials.

Basic example using multistage builds

FROM ubuntu:latest as bootstrap
RUN apt update && apt install -y curl
WORKDIR /data
ARG HTTP_USER
ARG HTTP_PASSWORD
RUN curl -u "${HTTP_USER}":"${HTTP_PASSWORD}" \
         "https://my-generic-repository/my-private-package.zip" \
         -o ./my-private-package.zip

FROM python:3.9 as final
WORKDIR /app
COPY --from=bootstrap /data/my-private-package.zip .
RUN pip install ./my-private-package.zip
COPY . .
CMD ["python", "myapp.py"]

Build it like:

docker build --build-arg HTTP_PASSWORD=mycurlpassword \
             --build-arg HTTP_USER=myusername \
             -t myregistry.example.com/myrepo/myimage:latest .

You'll notice that if you run docker image history myregistry.example.com/myrepo/myimage:latest that none of the layers from the first build stage (the bootstrap) are contained in the resulting image. Meaning your credentials are not stored in the image, but you can still make use of private packages downloaded in the docker build process.

Example blog with more information.