Accessing secrets in Dockerfile

I haven’t tested this yet but I was hoping to find the correct way to access secrets inside a Dockerfile, if possible.

I’m trying to use an nginx template in a Dockerfile to build the nginx.conf. Is this the correct syntax if
$APP_HOST and $NGINX_HOST are both secrets ?

FROM nginx:alpine
RUN mkdir /etc/nginx/templates
COPY nginx.conf.template /etc/nginx/templates

ENV APP_HOST=$APP_HOST NGINX_HOST=$NGINX_HOST

This actually seems to work fine. I just couldn’t find a document saying it would. Maybe it is obvious.

Secrets are available as env vars in the running VM but not at build time. If you don’t need the secrets during the build, then you don’t need to do anything special to get them set.

The Dockerfile is used during build time though right? So should this not be working ?

That should not be working if you’re referring to those values in the build, no. You’d have to be setting them as build arguments for things to work as you expect.

Thanks for your help clarifying this. I’m just getting started on fly.io. You are right. This was actually working for the wrong reasons. The template interpolation doesn’t happen until the VM is actually started so it seems it can access the secrets there as you said. The docker file ENV variables were actually doing nothing.

Nginx Docker Image

Using environment variables in nginx configuration (new in 1.19)

Out-of-the-box, nginx doesn’t support environment variables inside most configuration blocks. But this image has a function, which will extract environment variables before nginx starts.