Docker Compose Secret from Environment Variable

Question

For the life of me I have been unable to replicate using an environment variable to populate a secret within docker compose.

I have it working with a straightforward docker build command I.E.

docker buildx build --secret id=ARTIFACTORY_USER --secret id=ARTIFACTORY_PASS --target local_dev --progress=plain .

So long as each id maps to an environment variable on my host machine, the build has no problem using the secret.

However, in trying to replicate this within a docker compose file I am finding no success. Reading the compose file reference seems to indicate that I can either provide a file or must use the docker swarm secrets manger.

I did find other documentation indicating that it may be possible, but that fails the build (via docker compose build <service>) with a secret not found error.

My compose file looks something like this:

secrets:
  ARTIFACTORY_USER:
      environment: ARTIFACTORY_USER
  ARTIFACTORY_PASS:
      environment: ARTIFACTORY_PASS

<service>:
    container_name: <service-container>
    restart: unless-stopped
    env_file:
      - $LOCATION/.env
    volumes:
      - $LOCATION/directory:/app/
    build:
      context: $LOCATION/directory
      target: local_dev
    secrets:
      - ARTIFACTORY_USER
      - ARTIFACTORY_PASS
    networks:
      vpcbr:
        ipv4_address: 172.20.0.12
    ports:
      - 8000:8000

Am I missing something?

Answer 1

I am working on a similar problem right now. The documentation does not seem to clearly explain how to use this, but containers define secrets separately at build-time and run-time.

This will make the secrets available at run-time but not build-time:

    build:
      context: $LOCATION/directory
      target: local_dev
    secrets:
      - ARTIFACTORY_USER
      - ARTIFACTORY_PASS

This will make them available at build-time but not run-time:

    build:
      context: $LOCATION/directory
      target: local_dev
      secrets:
        - ARTIFACTORY_USER
        - ARTIFACTORY_PASS