You can inject keys into the running container by passing them as environment variables during the docker run command, ideally supplied via a secrets manager.
I understand that at a high level, but the implementation is where I get lost and where I'd love an article like this to tell me how to do it and how to deploy securely vs develop locally. Most of the guides I've seen involving a secrets manager assume you're very comfortable with Docker, but I'm still trying to figure it out and need some hand holding like this article does.
I think this is mostly because that's out of scope of responsibility of docker, and docker compose (for the most part) is only a local dev tool without prod concerns.
For deploying docker containers to production, and how to manage secrets, you'd need to look to that container orchestrator's recommendations. EG K8S secrets. It doesn't make too much sense to put an example of how to use production secrets in a docker guide, because those belong in a K8S/GKS/EKS/DO etc tutorial.
Docker's "interface" is how to accept env variables, it's other parts of the system that need to set those variables.
I wish there was some secrets manager that would give me a per-project env file in somewhere ephemeral like /run (bonus points for it disappearing when the computer is locked).
Keeping a .env file around still is still a vulnerability if a device goes missing.
cornstalks|1 year ago
d_watt|1 year ago
For deploying docker containers to production, and how to manage secrets, you'd need to look to that container orchestrator's recommendations. EG K8S secrets. It doesn't make too much sense to put an example of how to use production secrets in a docker guide, because those belong in a K8S/GKS/EKS/DO etc tutorial.
Docker's "interface" is how to accept env variables, it's other parts of the system that need to set those variables.
ggregoire|1 year ago
stuaxo|1 year ago
Keeping a .env file around still is still a vulnerability if a device goes missing.
chambored|1 year ago