Last active
July 13, 2022 05:16
-
-
Save marcellodesales/db42bba26323d224780473f886fc7cca to your computer and use it in GitHub Desktop.
How to use docker's secret with build mount without storing secrets from `${HOME}/.aws/credentials` bound to a profile. Docker will use the secret and mount it during the build, but it won't cache it inside the image. Instructions at https://github.com/moby/buildkit/blob/master/frontend/dockerfile/docs/syntax.md#example-access-to-s3
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [marcellodesales-aws] | |
| aws_access_key_id = AKIA*******F37A | |
| aws_secret_access_key = sfZ*****w5m |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ docker build -t test-secret --build-arg AWS_PROFILE=marcellodesales-aws --secret id=aws,src=$HOME/.aws/credentials . | |
| [+] Building 2.7s (13/13) FINISHED | |
| => [internal] load build definition from Dockerfile 0.1s | |
| => => transferring dockerfile: 461B 0.0s | |
| => [internal] load .dockerignore 0.1s | |
| => => transferring context: 2B 0.0s | |
| => resolve image config for docker.io/docker/dockerfile:1.3 1.1s | |
| => [auth] docker/dockerfile:pull token for registry-1.docker.io 0.0s | |
| => CACHED docker-image://docker.io/docker/dockerfile:1.3@sha256:42399d4635eddd7a9b8a24be879d2f9a930d0ed040a61324cfdf59ef1357b3b2 0.0s | |
| => [internal] load build definition from Dockerfile 0.0s | |
| => [internal] load .dockerignore 0.0s | |
| => [internal] load metadata for docker.io/library/python:3 0.6s | |
| => [auth] library/python:pull token for registry-1.docker.io 0.0s | |
| => [stage-0 1/3] FROM docker.io/library/python:3@sha256:95e12432e23d2116270e70e30805a057fcde85ef0fa6e6532f809478f616ace4 0.0s | |
| => CACHED [stage-0 2/3] RUN pip install awscli 0.0s | |
| => CACHED [stage-0 3/3] RUN --mount=type=secret,id=aws,target=/root/.aws/credentials aws s3 ls > /aws-s3 0.0s | |
| => exporting to image 0.2s | |
| => => exporting layers 0.0s | |
| => => writing image sha256:ab3a99e2b26531b3530c811a1c31bbf01c6bfb03f0a15fc3e7de2b4b2bd84233 0.0s | |
| => => naming to docker.io/library/test-secret 0.0s |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # syntax = docker/dockerfile:1.3 | |
| ARG AWS_PROFILE | |
| FROM python:3 | |
| RUN pip install awscli | |
| ARG AWS_PROFILE | |
| ENV AWS_PROFILE=${AWS_PROFILE} | |
| # Will mount the secret created by the ID=aws and mounted in the container at the root user's dir | |
| # https://github.com/moby/buildkit/blob/master/frontend/dockerfile/docs/syntax.md#example-access-to-s3 | |
| RUN --mount=type=secret,id=aws,target=/root/.aws/credentials aws s3 ls > /aws-s3 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ☁️ [email protected] | |
| ☸️ [email protected] 📛 [email protected] 🎡 [email protected] 👽 [email protected] 🐳 [email protected] | |
| 👤 AWS_PS1_PROFILE 🗂️ 🌎 sa-east-1 | |
| 🏗 🔐 docker-desktop 🍱 default | |
| ~/dev/gitlab.com/supercash/serverless/supercash-serverless-aws/resources/v1/Parkinglot/test on develop! 📅 07-12-2022 ⌚22:03:50 | |
| $ docker run -ti test-secret cat /aws-s3 | |
| 2022-07-11 03:55:51 cdk-******91194-sa-east-1 | |
| 2022-07-10 18:54:13 marcello-h***com-aws-ppd-dev-3a69dd2 | |
| 2022-07-10 18:02:11 marcello-ser****com-dee7329 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment