Docker Secret – How to use in Docker Swarm and Compose

docker secret

Docker secrets, which designated to create for storing the sensitive information like username, password, SSL certificates, and any secure files. Docker Secret is created and used widely in Docker Swarm and then extended to docker compose from v3. If anytime, you were worried about securing your sensitive data, Docker secret will be the one of the solutions for you.

Just imagine, we never want to store a configuration file with all of our passwords on our GitHub/any repository even in public or private. In this guide we will walk you through various aspects of setting up a using Docker secrets.

Before we head into steps, here is some introduction how it is used on docker swarm services. First, we create & add a secret to the swarm, and then we give our services access to the secrets they require. When the service is created (or updated), the secret is then mounted onto the container in the /run/secrets directory. Now your application has access to the secrets it requires.

Creating Secret

Just assume with your swarm already running or for test, please run “docker swarm init”, this initiate your docker swarm on the node. Now, you can use the docker secret create command to add a new secret to the swarm.

Here is a basic example:

echo "mypassword" | docker secret create mypass -

Now let’s use the “docker secret ls” command to confirm that our secret was added:

docker secret ls

should output something like this:

ID                          NAME     CREATED             UPDATED
rkxav7s9rvnc9d7ct6dhkrsyn   mypass 3 minutes ago        3 minutes ago

Lets see what else we can do in Docker secret, before we heads to adding secret to service.

Inspect Docker Secret

You can use inspect command on Docker secret also, same as other docker commands

docker secret inspect secret_name

our case it will be “mypass”

Remove Docker Secret

You can remove the docker secret using following command

docker secret rm secret_name
Lets add secret to Service

Now that you’ve added the secret to the swarm, you need to give the service access. This can be accomplished when the service is created or updated.

Here’s an example of how to add a secret when the service is created:

docker service create --secret mypass --name secret alpine ping

In this example, I’m adding the mypass secret we created in the previous step to a service running the alpine image.

If we’ve already got a service running and we want to add (or change) a secret, you can use the –secret-add option.

docker service update --secret-add mypass existing_service_name

How this works in realtime

There are a few different ways to use this in realtime, and based on the needs of your application you can choose the way that works best for you.

A secret per password

In the example above, I showed how you would store a single password in a secret. This might be appropriate if you’re not managing too many secrets. In this case, you would manually create each secret and add them each to the appropriate service when it is created or updated.

There are some things to consider with this method. If you’ve got a lot of secrets, there’s room for manual error and it can be time consuming.

A secret per service

So another possible method might be to store all of the secrets that each service requires in a single file – perhaps a json file called “service.json”. Now you’re adding a single secret file per service, and all the passwords are stored in a file that can be quickly read in by your application.

This provides a much cleaner and quicker way to configure the secrets, plus it simplifies things in the application layer as well. But the obvious downside is that services will often share secrets, so some of your sensitive data might be duplicated.

For more real time example, docker Team has prepared great example, please refer more on following articles.

We will give more real time example about secret on our upcoming Docker Swarm Series.

How Docker Secret can use in Docker Compose:

you can use secrets if you use a compose file. (You don’t need to run a swarm).

I have switched to docker-compose because I wanted to use secrets. Each service maps to a container. And if you ever want to switch to running a swarm instead, you are basically already there.

Note: Secrets are not loaded into the container’s environment, they are mounted to /run/secrets/

Here is an example:

File Structure:

|--- docker-compose.yml
|--- mysecret.txt

docker-compose.yml contains
version: “3.6”
    image: ubuntu:18.04
    entrypoint: “cat /run/secrets/mysecret”
      – mysecret
    file: ./mysecret.txt

mysecret.txt contains:
this is my secret text

Run this command from the root to see that the container does have access to your secret, (Docker must be running and docker-compose installed):

docker-compose up --build myservice

You should see your container output your secret as following,

Creating network "secret_default" with the default driver
Pulling myservice (centos:7)...
7: Pulling from library/centos
524b0c1e57f8: Pull complete
Digest: sha256:e9ce0b76f29f942502facd849f3e468232492b259b9d9f076f71b392293f1582
Status: Downloaded newer image for centos:7
Creating secret_myservice_1 ... done
Attaching to secret_myservice_1
myservice_1  | this is my secret text
secret_myservice_1 exited with code 0