https://pulumi.com logo
#general
Title
# general
a

alert-midnight-11504

03/25/2024, 9:20 PM
Does @pulumi/docker support docker secrets? I am having trouble finding documentation on how to securely pass secrets as an environment variable such that it does not get cached in the build layers
s

stale-twilight-75626

03/25/2024, 9:30 PM
you probably want to write your secret to a place that is designed for that. Then when you are spinning up your docker container, the secret service will pass in the secret as an environment variable
depending on what you are doing, you might want to use Docker Swarm's secrets, HashiCorp's Vault, AWS Secrets manager, Azure Key Vault, or something similar
a

alert-midnight-11504

03/25/2024, 9:40 PM
I am current using Google Secret Manager during runtime. The problem I am currently running into is a secret needs to be available as environment variable during a build step when creating the image.
IE is is there a native way to
docker build --secret
using pulumi?
s

stale-twilight-75626

03/25/2024, 10:30 PM
Security best practice is to provide secrets at runtime. Why do you need it at build time?
and to answer your question: I would be surprised if there was support for what you are looking for because of that best practice
a

alert-midnight-11504

03/25/2024, 10:57 PM
Working with a third party package, PayloadCMS. PayloadCMS requires secret when initializing the express backend. Unfortunately this also occurs at build time when generating GraphQL endpoints and other generated schemas. Their docs kinda skirt around how to do this securely using docker because all the examples I have seen so far use dotenv file which I dont want to use with secrets in plain text for obvious reasons. I am surprise more people don't run into this issue of requiring secrets a built time but thrown away afterwards to provide them via secret manager like you said at runtime.
s

stale-twilight-75626

03/26/2024, 11:52 PM
Are you initializing a PayloadCMS instance (backend?) when you are building the Docker container?
To me a secrets backend and a dotenv file present secrets the same way to a Docker container. Is there a difference for you?
They are both available at runtime as env vars