Another option is to build locally with the Buildkit build secrets feature, then push the image to the Fly registry.
Something like:
fly auth docker
DOCKER_BUILDKIT=1 docker build -t registry.fly.io/myapp:tag --secrets mykey=value
docker push registry.fly.io/myapp:tag
fly deploy -i registry.fly.io/myapp:tag
Using these secrets in Dockerfile is a bit annoying, as they have to be mounted at a filesystem path. But maybe worth a try! We’d love to support this in fly deploy directly someday.
Also check out the linked article for a similar use case for SSH-based authentication to things like private repositories.