Skip to content

Instantly share code, notes, and snippets.

@marcellodesales

marcellodesales/${HOME}_.aws_credentials

Last active July 13, 2022 05:16
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save marcellodesales/db42bba26323d224780473f886fc7cca to your computer and use it in GitHub Desktop.
Save marcellodesales/db42bba26323d224780473f886fc7cca to your computer and use it in GitHub Desktop.
Download ZIP
How to use docker's secret with build mount without storing secrets from `${HOME}/.aws/credentials` bound to a profile. Docker will use the secret and mount it during the build, but it won't cache it inside the image. Instructions at https://github.com/moby/buildkit/blob/master/frontend/dockerfile/docs/syntax.md#example-access-to-s3
Raw
${HOME}_.aws_credentials
[marcellodesales-aws]
aws_access_key_id = AKIA*******F37A
aws_secret_access_key = sfZ*****w5m
Raw
build.log
$ docker build -t test-secret --build-arg AWS_PROFILE=marcellodesales-aws --secret id=aws,src=$HOME/.aws/credentials .
[+] Building 2.7s (13/13) FINISHED
=> [internal] load build definition from Dockerfile 0.1s
=> => transferring dockerfile: 461B 0.0s
=> [internal] load .dockerignore 0.1s
=> => transferring context: 2B 0.0s
=> resolve image config for docker.io/docker/dockerfile:1.3 1.1s
=> [auth] docker/dockerfile:pull token for registry-1.docker.io 0.0s
=> CACHED docker-image://docker.io/docker/dockerfile:1.3@sha256:42399d4635eddd7a9b8a24be879d2f9a930d0ed040a61324cfdf59ef1357b3b2 0.0s
=> [internal] load build definition from Dockerfile 0.0s
=> [internal] load .dockerignore 0.0s
=> [internal] load metadata for docker.io/library/python:3 0.6s
=> [auth] library/python:pull token for registry-1.docker.io 0.0s
=> [stage-0 1/3] FROM docker.io/library/python:3@sha256:95e12432e23d2116270e70e30805a057fcde85ef0fa6e6532f809478f616ace4 0.0s
=> CACHED [stage-0 2/3] RUN pip install awscli 0.0s
=> CACHED [stage-0 3/3] RUN --mount=type=secret,id=aws,target=/root/.aws/credentials aws s3 ls > /aws-s3 0.0s
=> exporting to image 0.2s
=> => exporting layers 0.0s
=> => writing image sha256:ab3a99e2b26531b3530c811a1c31bbf01c6bfb03f0a15fc3e7de2b4b2bd84233 0.0s
=> => naming to docker.io/library/test-secret 0.0s
Raw
Dockerfile
# syntax = docker/dockerfile:1.3
ARG AWS_PROFILE
FROM python:3
RUN pip install awscli
ARG AWS_PROFILE
ENV AWS_PROFILE=${AWS_PROFILE}
# Will mount the secret created by the ID=aws and mounted in the container at the root user's dir
# https://github.com/moby/buildkit/blob/master/frontend/dockerfile/docs/syntax.md#example-access-to-s3
RUN --mount=type=secret,id=aws,target=/root/.aws/credentials aws s3 ls > /aws-s3
Raw
test.log
☁️ aws-cli@2.2.21
☸️ kubectl@1.21.2 📛 kustomize@v4.2.0 🎡 helm@3.6.3 👽 argocd@2.0.5 🐳 docker@20.10.7
👤 AWS_PS1_PROFILE 🗂️ 🌎 sa-east-1
🏗 🔐 docker-desktop 🍱 default
~/dev/gitlab.com/supercash/serverless/supercash-serverless-aws/resources/v1/Parkinglot/test on  develop! 📅 07-12-2022 ⌚22:03:50
$ docker run -ti test-secret cat /aws-s3
2022-07-11 03:55:51 cdk-******91194-sa-east-1
2022-07-10 18:54:13 marcello-h***com-aws-ppd-dev-3a69dd2
2022-07-10 18:02:11 marcello-ser****com-dee7329
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment