Secrets Management in Images

Secrets Management in Images

Secrets must never be embedded in container images. Hard-coded credentials in images persist in registries and layer caches. Even deleted files remain accessible in previous layers. Build-time secrets for private repositories require careful handling to avoid exposure. Runtime secret injection provides secure alternatives to embedded secrets.

Build-time secret management leverages Docker BuildKit's secret mounting capabilities. Secrets mount temporarily during build without persisting in image layers. This approach enables secure access to private repositories and APIs during build. However, build logs and intermediate containers require careful handling to prevent secret exposure.

# Example: Using BuildKit secrets for secure builds
# syntax=docker/dockerfile:1.3
FROM python:3.11-slim AS builder

# Install dependencies using private repository credentials
RUN --mount=type=secret,id=pip_creds \
    pip install --index-url https://$(cat /run/secrets/pip_creds)@private.pypi.org/simple/ \
    -r requirements.txt

# Copy application code
COPY . /app

# Build without exposing secrets
RUN --mount=type=secret,id=api_key \
    API_KEY=$(cat /run/secrets/api_key) python build.py

# Final stage without secrets
FROM python:3.11-slim
COPY --from=builder /app/dist /app
CMD ["python", "/app/main.py"]

Runtime secret management integrates with orchestration platforms and secret management systems. Kubernetes secrets, Docker secrets, and HashiCorp Vault provide dynamic secret injection. Environment variables offer simple secret passing but appear in process listings. File-based secrets provide better security through restricted file permissions. Applications should support multiple secret injection methods for deployment flexibility.