Build Time Secrets

andy.eskridge · October 5, 2021, 7:41pm

I have a Next.js application that has a couple of build time secrets that need to be provided to the Docker. I would like to provide those secrets through the fly secrets functionality, but it seems that those are only available at runtime.

Is there a way to accomplish this?

One option that I am going to try is using my GitHub Action to provide these secrets through the fly deploy --build-arg functionality, but I would prefer to keep things in one spot.

kurt · October 6, 2021, 12:48am

This is not well supported on our end, fly deploy --build-arg is the only reliable option.

--build-arg doesn’t get stored on our servers, so if you have secrets in a local env var it’s safe to run something like:

fly deploy --build-arg MYSECRET=$MYSECRET

You could experiment with secrets on your remote builder, assuming you’re adding a remote builder. When you run fly deploy it will print out the name of the remote builder (something like fly-builder-random-words-123). Once you find that, you can try setting:

fly secrets set MYSECRET=$MYSECRET -a fly-builder-random-words-123

You’ll still need to pass build args to get Docker to pick it up from the environment, something like:

fly deploy --build-arg MYSECRET

andy.eskridge · October 6, 2021, 2:48am

Setting builder secrets like that makes sense, but I’ve had to destroy my remote builder too many times for that right now. I’ll probably just stick with the GitHub Action --build-arg, but would love to see a more native experience for this, though even for me, it’s not super high on the priority list.

jsierles · October 6, 2021, 8:20am

It’s also worth mentioning the new Docker --secrets option.

To use this, you could build locally (on your machine or in Github Actions) and deploy the resulting image with fly deploy -i myimage:tag.

andy.eskridge · October 6, 2021, 1:32pm

I didn’t know about the new Docker --secrets option, that’s very interesting!

For right now, I’ve gone with adding the secrets to my GitHub repos secrets and passing them through to the Docker image via build-args. I prefer this because I rather all deploys happen on a CI machine, since I seem to be very good at mucking up my development machines.

- uses: superfly/flyctl-actions@master
        if: ${{ github.ref == 'refs/heads/master' }}
        env:
          FLY_API_TOKEN: ${{ secrets.FLY_API_TOKEN }}
        with:
          args: deploy --build-arg NEXT_PUBLIC_SECRET="${{ secrets.NEXT_PUBLIC_SECRET }}"

With the Dockerfile containing this section during the nextjs build phase:

ARG NEXT_PUBLIC_SECRET

ENV NEXT_PUBLIC_SECRET=${NEXT_PUBLIC_SECRET}

stefan.luptak · February 21, 2022, 7:36pm

Hey @kurt, I tried this method, but got this error:

Error failed to fetch an image or build from source: invalid build args: 'OBAN_KEY_FINGERPRINT': must be in the format NAME=VALUE

Are you sure it should work like that?

Thanks a lot.

Topic		Replies	Views
Best practice for build-time secrets? Build debugging	10	2838	February 14, 2023
NextJS Dynamic Environment Variables	8	783	July 13, 2023
Fly Secrets not populated during build	17	2645	December 7, 2022
Does it make sense to add build-time secrets directly to a builder app? Questions / Help	4	891	June 8, 2022
I'm having a hard time passing env variables to Dockerfile when using GitHub actions	3	1253	October 18, 2021

Build Time Secrets

Related Topics