Passing Secrets as Build Arguments, plugins/Docker

Drone Support
1

Attempting to use in this intuitive way:

build_&_publish_wordpress:
image: plugins/docker
repo: host/repo/name
registry: host
build_args:
- DB_PASSWORD=${DB_PASSWORD}
secrets: [docker_username, docker_password, db_password]

Insight dockerfile i just do ENV DB_PASSWORD and RUN printenv gets me empty value for my enviroment variable

Documentation is allover the place, sign yml not sign yml (dont sign yml deprecated in 0.6). Change of variable declaration. From $VAR to ${VAR}.

But why does it not provide any variable for this case DRONE build id or anything to the build args?

2

This is because build_args is a Go string literal. It is not a bash string. Therefore, it will not evaluate DB_PASSWORD=${DB_PASSWORD}

For reference http://docs.drone.io/secrets-not-working/#variable-expansion

If you want to pass secrets (environment variables) as build arguments, you can do this:

build_&_publish_wordpress:
  image: plugins/docker
  repo: host/repo/name
  registry: host
  build_args_from_env: [ DB_PASSWORD ]
  secrets: [docker_username, docker_password, db_password]
1 Like
3

So I’m trying to do something similar (pass a drone secret into an environment variable in a docker image) and I’m finding that the approach given here doesn’t work given a block like the following:

secrets:
  - source: github_token
    target: github_access_token
build_args_from_env: [ GITHUB_ACCESS_TOKEN ]

Has this changed since this question was posted? Or perhaps using the source, target syntax messes with this somehow? Also, for what it’s worth I noticed that this was added in 2017 and doesn’t have a corresponding entry in the documentation: https://github.com/drone/drone-plugin-index/blob/master/content/drone-plugins/drone-docker/index.md

I’d be happy to add the documentation once I get it working, but until then I’m a bit stuck. Any ideas?

4

@chetaldrich yes this capability is still supported. The syntax has only changed if you are using the new 1.0 release candidate. I have provided examples of both below.

If you are using Drone 1.0

kind: pipeline
name: default

steps:
- name: publish
  image: plugins/docker
  environment:
    GITHUB_ACCESS_TOKEN:
      from_secret: github_token
  settings:
    build_args_from_env:
    - GITHUB_ACCESS_TOKEN

If you are using Drone 0.8

pipeline:
  publish:
    image: plugins/docker
    secrets:
    - source: github_token
      target: github_access_token
    build_args_from_env:
    - GITHUB_ACCESS_TOKEN
2 Likes