Skip to content

Commit

Permalink
docs: run mount secret env dockerfile example
Browse files Browse the repository at this point in the history 
Signed-off-by: David Karlsson <35727626+dvdksn@users.noreply.github.com>
  • Loading branch information
@dvdksn
dvdksn committed Sep 5, 2024
1 parent c958c68 commit 85b0933
Showing 1 changed file with 34 additions and 11 deletions.
45 changes: 34 additions & 11 deletions frontend/dockerfile/docs/reference.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -803,17 +803,21 @@ This mount type allows mounting `tmpfs` in the build container.

### RUN --mount=type=secret

This mount type allows the build container to access secure files such as
private keys without baking them into the image.

| Option | Description |
| ---------- | ------------------------------------------------------------------------------------------------- |
| `id` | ID of the secret. Defaults to basename of the target path. |
| `target`, `dst`, `destination` | Mount path. Defaults to `/run/secrets/` + `id`. |
| `required` | If set to `true`, the instruction errors out when the secret is unavailable. Defaults to `false`. |
| `mode` | File mode for secret file in octal. Default `0400`. |
| `uid` | User ID for secret file. Default `0`. |
| `gid` | Group ID for secret file. Default `0`. |
This mount type allows the build container to access secret values, such as
tokens or private keys, without baking them into the image.

By default, the secret is mounted as a file. You can also mount the secret as
an environment variable by setting the `env` option.

| Option | Description |
| ------------------------------ | --------------------------------------------------------------------------------------------------------------- |
| `id` | ID of the secret. Defaults to basename of the target path. |
| `target`, `dst`, `destination` | Mount the secret to the specified path. Defaults to `/run/secrets/` + `id` if unset and if `env` is also unset. |
| `env` | Mount the secret to an environment variable instead of a file, or both. (since Dockerfile v1.10.0) |
| `required` | If set to `true`, the instruction errors out when the secret is unavailable. Defaults to `false`. |
| `mode` | File mode for secret file in octal. Default `0400`. |
| `uid` | User ID for secret file. Default `0`. |
| `gid` | Group ID for secret file. Default `0`. |

#### Example: access to S3

Expand All @@ -829,6 +833,25 @@ RUN --mount=type=secret,id=aws,target=/root/.aws/credentials \
$ docker buildx build --secret id=aws,src=$HOME/.aws/credentials .
```

#### Example: Mount as environment variable

The following example takes the secret `API_KEY` and mounts it as an
environment variable with the same name.

```dockerfile
# syntax=docker/dockerfile:1
FROM alpine
RUN --mount=type=secret,id=API_KEY,env=API_KEY \
some-command --token-from-env API_KEY
```

Assuming that the `API_KEY` environment variable is set in the build
environment, you can build this with the following command:

```console
$ docker buildx build --secret id=API_KEY .
```

### RUN --mount=type=ssh

This mount type allows the build container to access SSH keys via SSH agents,
Expand Down

0 comments on commit 85b0933

Please sign in to comment.