No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Can you share the code for the docker image? (redacting any potentially sensitive information of course :slightly_smiling_face:)

Want to get a better idea of how you have it setup. Without seeing the code, I’d suggest trying this: 
```const buildArgs = sec.apply( secret =&gt; {
    return {
        args: { 
            ARG_NAME: secret 
        }
    }
});

const dockerImage = new docker.Image("name", {
    imageName: "image-name",
    build: buildArgs
});```

&gt; _Note_: Inside of an `apply` or `all` , your secret will be decrypted for use within the callback in plaintext. It is up to your program to treat this value sensitively and only pass the value to code that you trust.

```const pulumiConfig = new pulumi.Config();

const sec = pulumiConfig.requireSecret("secKey");
const sec2 = pulumiConfig.requireSecret("sec2Key");

const buildArgs = pulumi.all([sec, sec2]).apply(([secVal, sec2Val]) =&gt; {
  return {
    ARG1: secVal,
    ARG2: sec2Val,
  };
});

const imageName = "spark-dotnet";
const imageVersion = "v1beta-0.0.1-spark-2.4.5";
const image = new docker.Image(imageName, {
  imageName: pulumi.interpolate`${k8sInfraStack.k8sRegistryLoginServer}/${imageName}:${imageVersion}`,
  build: {
    context: `./spark-dotnet-docker`,
    args: buildArgs,
  },
  registry: {
    server: k8sInfraStack.k8sRegistryLoginServer,
    username: k8sInfraStack.k8sRegistryUsername,
    password: k8sInfraStack.k8sRegistryPassword,
  },
});```

Great, that looks like it should work.. does it?

```const buildArgs = pulumi.all([sec, sec2]).apply(([secVal, sec2Val]) =&gt; {
  return {
    ARG1: `https:&lt;mailto://${secVal}@org.visualstudio.com|//${secVal}@org.visualstudio.com&gt;`,```

results in `fatal: could not read Password for 'https://[secret]@org.visualstudio.com': No such device or address`

in my case, sec is a <https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops&amp;tabs=preview-page|Azure DevOps PAT>

This seems like it could be a bug, can you create an issue here: <https://github.com/pulumi/pulumi/issues>

One last thing to try:
```const buildArgs = pulumi.all([sec, sec2]).apply(([secVal, sec2Val]) =&gt; {
  return {
    context: `./spark-dotnet-docker`,
    args: {
        ARG1: secVal,
        ARG2: sec2Val
    }
  }
});

const imageName = "spark-dotnet";
const imageVersion = "v1beta-0.0.1-spark-2.4.5";
const image = new docker.Image(imageName, {
  imageName: pulumi.interpolate`${k8sInfraStack.k8sRegistryLoginServer}/${imageName}:${imageVersion}`,
  build: buildArgs,
  registry: {
    server: k8sInfraStack.k8sRegistryLoginServer,
    username: k8sInfraStack.k8sRegistryUsername,
    password: k8sInfraStack.k8sRegistryPassword,
  },
});```


If I have time I’ll try and reproduce this myself…

Thanks <@UMBT6JBPT>, I tried that model, same result,  <https://github.com/pulumi/pulumi/issues/4675|issue 4675 created>