Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs: run mount secret env dockerfile example #5296

Merged
merged 1 commit into from
Sep 5, 2024
Merged

docs: run mount secret env dockerfile example #5296

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 34 additions & 11 deletions frontend/dockerfile/docs/reference.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -803,17 +803,21 @@ This mount type allows mounting `tmpfs` in the build container.

### RUN --mount=type=secret

This mount type allows the build container to access secure files such as
private keys without baking them into the image.

| Option | Description |
| ---------- | ------------------------------------------------------------------------------------------------- |
| `id` | ID of the secret. Defaults to basename of the target path. |
| `target`, `dst`, `destination` | Mount path. Defaults to `/run/secrets/` + `id`. |
| `required` | If set to `true`, the instruction errors out when the secret is unavailable. Defaults to `false`. |
| `mode` | File mode for secret file in octal. Default `0400`. |
| `uid` | User ID for secret file. Default `0`. |
| `gid` | Group ID for secret file. Default `0`. |
This mount type allows the build container to access secret values, such as
tokens or private keys, without baking them into the image.

By default, the secret is mounted as a file. You can also mount the secret as
an environment variable by setting the `env` option.

| Option | Description |
| ------------------------------ | --------------------------------------------------------------------------------------------------------------- |
| `id` | ID of the secret. Defaults to basename of the target path. |
| `target`, `dst`, `destination` | Mount the secret to the specified path. Defaults to `/run/secrets/` + `id` if unset and if `env` is also unset. |
| `env` | Mount the secret to an environment variable instead of a file, or both. (since Dockerfile v1.10.0) |
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we have a column with minimal version similar to #5275 ?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah thought about it. wdyt? Do you know when those other fields were added? :D

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking at https:/moby/buildkit/blame/0af7b1b9c693cf3c4be62d80beb3fd5b218a12f9/frontend/dockerfile/docs/experimental.md, other attributes are there since 1.0.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK maybe a table will look silly in that case. That's kinda why I didn't do it immediately. I didn't know when any of the other opts were released, and having them all empty or say "1.0" is a bit weird.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes agree let's keep it like this for now

| `required` | If set to `true`, the instruction errors out when the secret is unavailable. Defaults to `false`. |
| `mode` | File mode for secret file in octal. Default `0400`. |
| `uid` | User ID for secret file. Default `0`. |
| `gid` | Group ID for secret file. Default `0`. |

#### Example: access to S3

Expand All @@ -829,6 +833,25 @@ RUN --mount=type=secret,id=aws,target=/root/.aws/credentials \
$ docker buildx build --secret id=aws,src=$HOME/.aws/credentials .
```

#### Example: Mount as environment variable

The following example takes the secret `API_KEY` and mounts it as an
environment variable with the same name.

```dockerfile
# syntax=docker/dockerfile:1
FROM alpine
RUN --mount=type=secret,id=API_KEY,env=API_KEY \
some-command --token-from-env API_KEY
```

Assuming that the `API_KEY` environment variable is set in the build
environment, you can build this with the following command:

```console
$ docker buildx build --secret id=API_KEY .
```

### RUN --mount=type=ssh

This mount type allows the build container to access SSH keys via SSH agents,
Expand Down
Loading