I've been experimenting with Docker recently on building some services to play around with and one thing that keeps nagging me has been putting passwords in a Dockerfile. I'm a developer so storing passwords in source feels like a punch in the face. Should this even be a concern? Are there any good conventions on how to handle passwords in Dockerfiles?
Definitely it is a concern. Dockerfiles are commonly checked in to repositories and shared with other people. An alternative is to provide any credentials (usernames, passwords, tokens, anything sensitive) as environment variables at runtime. This is possible via the -e
argument (for individual vars on the CLI) or --env-file
argument (for multiple variables in a file) to docker run
. Read this for using environmental with docker-compose.
Using --env-file
is definitely a safer option since this protects against the secrets showing up in ps
or in logs if one uses set -x
.
However, env vars are not particularly secure either. They are visible via docker inspect
, and hence they are available to any user that can run docker
commands. (Of course, any user that has access to docker
on the host also has root anyway.)
My preferred pattern is to use a wrapper script as the ENTRYPOINT
or CMD
. The wrapper script can first import secrets from an outside location in to the container at run time, then execute the application, providing the secrets. The exact mechanics of this vary based on your run time environment. In AWS, you can use a combination of IAM roles, the Key Management Service, and S3 to store encrypted secrets in an S3 bucket. Something like HashiCorp Vault or credstash is another option.
AFAIK there is no optimal pattern for using sensitive data as part of the build process. In fact, I have an SO question on this topic. You can use docker-squash to remove layers from an image. But there's no native functionality in Docker for this purpose.
You may find shykes comments on config in containers useful.