Using Docker Secrets for Managing Credentials
Introduction
Hardcoding credentials in images or environment variables can be insecure. Docker Secrets offers a secure way to manage sensitive data in Docker Swarm and Compose.
Prerequisites
- Docker Engine >=20
- Docker Swarm initialized (for secrets in Swarm)
Step 1: Create a Secret
echo "my-db-password" | docker secret create db_password -Verify:
docker secret lsStep 2: Use Secret in Swarm Service
docker service create \
--name myservice \
--secret db_password \
myimage:latestIn container, secret is at /run/secrets/db_password.
Step 3: Use Secret in Docker Compose (Swarm)
docker-compose.yml:
version: "3.8"
services:
app:
image: myimage:latest
secrets:
- db_password
secrets:
db_password:
external: trueDeploy:
docker stack deploy -c docker-compose.yml mystackStep 4: Access Secret in App
Read file in your application:
import fs from "fs";
const dbPassword = fs.readFileSync("/run/secrets/db_password", "utf8");Step 5: Rotate Secrets
Update secret:
docker secret rm db_password
echo "new-password" | docker secret create db_password -Redeploy services to pick up new secret.
Summary
Docker Secrets provide an encrypted, secure mechanism for credential management in container environments. Use them in Swarm or Compose to avoid exposing sensitive data.