Build Time Secrets

I have a Next.js application that has a couple of build time secrets that need to be provided to the Docker. I would like to provide those secrets through the fly secrets functionality, but it seems that those are only available at runtime.

Is there a way to accomplish this?

One option that I am going to try is using my GitHub Action to provide these secrets through the fly deploy --build-arg functionality, but I would prefer to keep things in one spot.

This is not well supported on our end, fly deploy --build-arg is the only reliable option.

--build-arg doesn’t get stored on our servers, so if you have secrets in a local env var it’s safe to run something like:

fly deploy --build-arg MYSECRET=$MYSECRET

You could experiment with secrets on your remote builder, assuming you’re adding a remote builder. When you run fly deploy it will print out the name of the remote builder (something like fly-builder-random-words-123). Once you find that, you can try setting:

fly secrets set MYSECRET=$MYSECRET -a fly-builder-random-words-123

You’ll still need to pass build args to get Docker to pick it up from the environment, something like:

fly deploy --build-arg MYSECRET
1 Like

Setting builder secrets like that makes sense, but I’ve had to destroy my remote builder too many times for that right now. I’ll probably just stick with the GitHub Action --build-arg, but would love to see a more native experience for this, though even for me, it’s not super high on the priority list.

It’s also worth mentioning the new Docker --secrets option.

To use this, you could build locally (on your machine or in Github Actions) and deploy the resulting image with fly deploy -i myimage:tag.

I didn’t know about the new Docker --secrets option, that’s very interesting!

For right now, I’ve gone with adding the secrets to my GitHub repos secrets and passing them through to the Docker image via build-args. I prefer this because I rather all deploys happen on a CI machine, since I seem to be very good at mucking up my development machines.

- uses: superfly/flyctl-actions@master
        if: ${{ github.ref == 'refs/heads/master' }}
        env:
          FLY_API_TOKEN: ${{ secrets.FLY_API_TOKEN }}
        with:
          args: deploy --build-arg NEXT_PUBLIC_SECRET="${{ secrets.NEXT_PUBLIC_SECRET }}"

With the Dockerfile containing this section during the nextjs build phase:

ARG NEXT_PUBLIC_SECRET

ENV NEXT_PUBLIC_SECRET=${NEXT_PUBLIC_SECRET}
4 Likes

Hey @kurt, I tried this method, but got this error:

Error failed to fetch an image or build from source: invalid build args: 'OBAN_KEY_FINGERPRINT': must be in the format NAME=VALUE

Are you sure it should work like that?

Thanks a lot.