You can set secrets for your applications, but these are only available at run-time. They aren't available when building your Docker image without a little extra work.
To make a secret available at build time, we'll use Docker secrets.
It's a 2-step process:
- Mount a secret into your
- Provide the value for that secret when running
Mounting a secret into your
Dockerfile is done within a
# Note: You can mount multiple secrets RUN --mount=type=secret,id=MY_SUPER_SECRET \ MY_SUPER_SECRET="$(cat /run/secrets/MY_SUPER_SECRET)" some_command \ && more_commands_maybe
This creates a new file when running
docker build. Secrets are stored in athe
/run/secrets directory. The file name is the
id you passed when mounting the secret. The content of that file contains the value of the secret.
--mount directive is not a shell command, so there's no need to add
&& after it as you commonly see when chaining commands.
You need to provide the values of the mounted secrets when running
# Note: You can pass multiple secrets if you need fly deploy \ --build-secret MY_SUPER_SECRET=some_value
Testing Build Secrets Locally
If you want to test your Docker build locally (before deploying to Fly.io), the commands to do so would look something like this:
echo -n "secret_value" > mysecret.txt docker build --secret id=MY_SUPER_SECRET,src=mysecret.txt .