Secret docker build arguments

I want to pass secret arguments into the Docker build. The documentation for flyctl deploy says that arguments can be specified like this:

--build-arg strings     Set of build time variables in the form of NAME=VALUE pairs. Can be specified multiple times.

The library I’m using suggests that I use the Docker build --secret option like this:

docker build \
  --secret id=oban_key_fingerprint,env=OBAN_KEY_FINGERPRINT \
  --secret id=oban_license_key,env=OBAN_LICENSE_KEY .

and then access those values during the Docker build like this:

RUN --mount=type=secret,id=oban_key_fingerprint \
    --mount=type=secret,id=oban_license_key \
    mix hex.repo add oban https://getoban.pro/repo \
      --fetch-public-key "$(cat /run/secrets/oban_key_fingerprint)" \
      --auth-key "$(cat /run/secrets/oban_license_key)"

So I added those lines just above to my Docker file and I’m running a deploy like this:

flyctl deploy --build-arg "--secret id=oban_key_fingerprint,env=$OBAN_KEY_FINGERPRINT" --build-arg "--secret id=oban_license_key,env=$OBAN_LICENSE_KEY"

Which, unsurprisingly, doesn’t work, Docker complains:

/run/secrets/oban_key_fingerprint: No such file or directory
/run/secrets/oban_license_key: No such file or directory

The documentation makes it seem that the build args should be key value pairs, but my build arguments are more complicated, I’m guessing that’s where this goes wrong. What’s the best way to pass build secrets into the Docker build?

It appears that the answer is here: What is the correct workflow for utilising secrets during deployment? - #8 by jsierles

Secret arguments aren’t supported by flyctl deploy yet, you have to do the Docker build local and push that to Fly.

Yep, only a local build will work at the moment for this style of secret. For something like a license key, though, it may not be the end of the world to use build arguments.

Going with that.

flyctl release v0.0.333 supports passing build secrets on the command line.

1 Like