Skip to content

Dockerfile with secrets#

The most secure way to use secrets in a Dockerfile is to use the --secret flag in the docker build command. This way, the secret is not stored in the image, and it is not visible in the Dockerfile.

A common use case in Python world is to install packages from a private PyPI repository in a Dockerfile. Suppose during the CICD pipeline, there's an environment variable called PIP_INDEX_URL where holds this private PyPI credentials.

Check the official Build secrets doc.

Docker build#

It will search PIP_INDEX_URL from environment variables.

docker build with secrets
# for older version of Docker Engine earlier than 23.0, need to enable buildkit in advance:

docker build --secret id=PIP_INDEX_URL -t myimage .


By default, --secret id=PIP_INDEX_URL from docker build will be mounted to file /run/secrets/PIP_INDEX_URL.

Dockerfile with secrets
RUN --mount=type=secret,id=PIP_INDEX_URL \
    pip install --upgrade pip && \
    PIP_INDEX_URL=$(cat /run/secrets/PIP_INDEX_URL) pip install --no-cache-dir -r requirements.txt

--build-arg to add args

docker build with args
docker build --build-arg arg1=value1 --build-arg arg2=value2 -t myimage .
Dockerfile with args
ARG arg1
ARG arg2
RUN printf "\narg1: $arg1\narg2: $arg2\n" >> /tmp/args.txt