I have a Next.js application that has a couple of build time secrets that need to be provided to the Docker. I would like to provide those secrets through the fly secrets functionality, but it seems that those are only available at runtime.
Is there a way to accomplish this?
One option that I am going to try is using my GitHub Action to provide these secrets through the fly deploy --build-arg functionality, but I would prefer to keep things in one spot.
This is not well supported on our end, fly deploy --build-arg is the only reliable option.
--build-arg doesn’t get stored on our servers, so if you have secrets in a local env var it’s safe to run something like:
fly deploy --build-arg MYSECRET=$MYSECRET
You could experiment with secrets on your remote builder, assuming you’re adding a remote builder. When you run fly deploy it will print out the name of the remote builder (something like fly-builder-random-words-123). Once you find that, you can try setting:
fly secrets set MYSECRET=$MYSECRET -a fly-builder-random-words-123
You’ll still need to pass build args to get Docker to pick it up from the environment, something like:
Setting builder secrets like that makes sense, but I’ve had to destroy my remote builder too many times for that right now. I’ll probably just stick with the GitHub Action --build-arg, but would love to see a more native experience for this, though even for me, it’s not super high on the priority list.
I didn’t know about the new Docker --secrets option, that’s very interesting!
For right now, I’ve gone with adding the secrets to my GitHub repos secrets and passing them through to the Docker image via build-args. I prefer this because I rather all deploys happen on a CI machine, since I seem to be very good at mucking up my development machines.