Home > Software engineering >  Most secure way to store secrets while building a docker image (Python flask server)
Most secure way to store secrets while building a docker image (Python flask server)

Time:01-22

So currently I am building a docker image for my python flask server, and the way that I am accessing the secret variable inside the code is app.config["SECRET_KEY"] = os.environ.get("todo_secret_key") or "secret"

Now if I want to run the code without the container, I'd use export command(linux) to temporarily have the secret key in the environment, but I need it to be in the environment of the container.

Now, a few methods that I am aware of are

  1. Pass it with -e in the docker run command docker run {imageName} -e {name}={value} (insecure as I dont want it to be in terminal logs)

  2. Pass it in the dockerfile by specifying the environment variable (definitely insecure as this file would be public)

Apart from these methods, is there a more secure way to pass the variable

P.s It is my first time buidling an image so apologies if it is a silly question

CodePudding user response:

You're trying to tie your runtime configuration to your build time configuration much too tightly if you're worrying about this as you're building your docker image!

Remember that these are discrete, if interconnected, stages.

Develop -> Build -> Test -> Deploy -> Test (Non-functional) -> repeat...

No stage should dictate what future stages do. docker build is the "Build" stage, and so should have no idea what configuration is correct in the environment for when the image is eventually deployed. How could it? That configuration could change over time!

Instead, look to configuration management to handle these sorts of decisions. Your docker scheduler (Kubernetes is common, but other flyweight executors like Docker Swarm or ECS should do this too) should have a way to read a configuration file and inject it into the environment. A full discussion of configuration management could (and has) filled textbooks.

  •  Tags:  
  • Related