Create Secret

The following command will first create a random 64 character token, that will be stored in a file for testing purposes. The token file is used to create a secret called deep_thought_answer_secure.

< /dev/urandom tr -dc A-Za-z0-9 | head -c64 > tokenfile
docker secret create deep_thought_answer_secure tokenfile

Creating a secret can also be done using stdin, for example echo "the_answer_is_42" | docker secret create lesssecure -. Note, this approach would leave the value the_answer_is_42 in the users bash history file.

All the secrets names can be viewed using docker secret ls. This will not expose the underlying secret value.

Using Secrets

This secret can be used when deploying services via Swarm. For example, deploy gives the Redis service access to the secret.

docker service create --name="redis" --secret="deep_thought_answer_secure" redis

The secret appears as a file within the secrets directory.

docker exec $(docker ps --filter name=redis -q) ls -l /run/secrets

An error Error response from daemon: No such container: ls indicates that Redis service has not started yet.

This can be read as a regular file from disk.

docker exec $(docker ps --filter name=redis -q) cat /run/secrets/deep_thought_answer_secure

The secrets functionality is also available using Docker Compose Stacks. In the example below, the viewer service has access to our Swarm Secret _deep_thoughtanswer. It's being mounted and made available called _deep_thoughtanswer.

Task: Create Docker Compose Stack

Copy the Docker Compose snippet to the file.

version: '3.1'
services:
    viewer:
        image: 'alpine'
        command: 'cat /run/secrets/deep_thought_answer_secure'
        secrets:
            - deep_thought_answer_secure

secrets:
    deep_thought_answer_secure:
        external: true

In the next step, the Compose Stack will be deployed.

Docker Compose Stack's are deployed using the Docker CLI. As part of the deployment, the stack will be configured with access to the secret.

Task

Deploy the task using the following command:

docker stack deploy -c docker-compose.yml secrets1

View the output with:

docker logs $(docker ps -aqn1 -f status=exited)

If the commands errors with "docker logs" requires exactly 1 argument(s). it means the container has not yet started and returned the secret.

An alternate way of creating secrets is via files. In this case, we have a secret.crt file that needs to be accessed from the container.

Task

First, create the sample .crt file: echo "my-super-secure-cert" > secret.crt

Secondly, update the docker-compose Stack to use the file based secret.

version: '3.1'
services:
    test:
        image: 'alpine'
        command: 'cat /run/secrets/secretcert'
        secrets:
            - secretcert

secrets:
    secretcert:
        file: ./secret.crt

Task

As before, deploy the Docker Compose Stack.

docker stack deploy -c docker-compose.yml secrets2

The command below will get the log file of the last container to have exited for the newly created service.

docker logs $(docker ps -aqn1 -f name=secrets2 -f status=exited)