April 23, 2018, 9:29am
Simple requirement of using secrets inside a docker build. We use secrets for the same and pass them as build args:
The Drone build shows the following output:
+ /usr/local/bin/docker build --rm=true -f Dockerfile -t 19c6c5a18f7d84c02c0d7caf10629d2d9fccdc82 . --pull=true --build-arg supersecret=thisissupersecret --build-arg SUPERSECRET=thisissupersecret --label org.label-schema.build-date=2018-04-23T08:10:26Z --label org.label-schema.vcs-ref=19c6c5a18f7d84c02c0d7caf10629d2d9fccdc82 --label org.label-schema.vcs-url=https://github.com/razorpay/creevey.git
Sending build context to Docker daemon 565.2kB
We are using the recommended configuration from
Passing Secrets as Build Arguments, plugins/Docker to pass build_args and it is printing out secrets to the log for us.
because secrets are injected as uppercase environment variables, you need to make the following adjustment to your configuration:
- build_args_from_env: [supersecret]
+ build_args_from_env: [SUPERSECRET]
April 23, 2018, 4:05pm
Never thought of trying case change, thanks.
April 23, 2018, 7:13pm
Tried all possible combinations of case and nothing seems to work. With this setup:
The build args still get printed:
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled
+ /usr/local/bin/docker build --rm=true -f Dockerfile -t 049f2d528b7852fac9038721e2e21f88e4e1e168 . --pull=true --build-arg SUPERSECRET=something --build-arg SUPERSECRET=something --label org.label-schema.build-date=2018-04-23T19:07:00Z --label org.label-schema.vcs-ref=049f2d528b7852fac9038721e2e21f88e4e1e168 --label org.label-schema.vcs-url=https://github.com/razorpay/creevey.git
Sending build context to Docker daemon 567.3kB
From a very cursory look at the source code, it looks like the
trace function is always getting called.
Sorry, not sure I understand the previous post. Your example output would seem to suggest the secrets are working as expected, assuming
something is the secret you wanted injected as a build argument.
But in general I can confirm that there are no known issues with secrets and build_args_from_env. You should make sure you secrets are configured correctly, as described
here. If you need more hands on assistance, we also offer enterprise support.
April 23, 2018, 9:10pm
Sorry, I should have been clearer in the original post. While secrets seem to be working exactly as expected (they get passed as build args), printing secrets during builds looks like a security issue, no?
We don’t want all of our users to be able to view secrets that easily.
April 25, 2018, 11:09am
@bradrydzewski Can you confirm if this is a security issue? (printing of secrets in build logs without debug mode being enabled). We’re happy to file a fix if you can confirm this.
May 2, 2018, 1:01pm
@bradrydzewski Sorry for bumping this again, but I still can’t figure out a way to not print secret build args with the docker plugin.
Printing secrets on build logs is just breaking our security workflow.
September 16, 2019, 3:25pm
I’m facing the exact same issue. I’m passing few drone secrets to build_from_env. Everything works perfectly, but in the drone log, the secrets are getting printed. Is there any way i can prevent this printing?
Relevant drone.yaml snippet below.
secrets: [ docker_username, docker_password, user_name, password ]
build_args_from_env: [ user_name, password ]
there is nothing you can do in older versions of Drone, however, this has been resolved in newer versions 1.0 and higher.