add a secret to container without exposing file locations to source control

Question

I want to add my aws credentials file to a docker container, so it can access AWS apis. The credentials file exists in my host machine at /home/user/.aws/credentials

When running the container from command line, I can do

docker run --rm -d -v /home/user/.aws/:/.aws:ro -d \
--env AWS_CREDENTIAL_PROFILES_FILE=/.aws/credentials proj:latest

In docker compose, I can mount the .aws directory with volumes property like so:

services:
  proj:
   volumes:
    - aws_credentials:/.aws:ro
   environment:
    AWS_CREDENTIAL_PROFILES_FILE: /.aws/credentials
volumes:
  aws_credentials:
   external: true

My question is, how to populate the external aws_credentials volume with data?

Approaches that do not work:

Use secrets instead of volumes. I am not using Docker swarm
Use config instead of volumes. I am not using Docker swarm
Use a bind mount instead of a volume. The docker-compose file gets checked into source control, and I do not want directories checked in.

services:
  proj:
   volumes:
    - /home/user/.aws/:/.aws:ro #<-- DO NOT WANT THIS IN SOURCE CONTROL
   environment:
    AWS_CREDENTIAL_PROFILES_FILE: /.aws/credentials

`/home/user/.aws` => `~/.aws`. Now the path is agnostic to a particular user and you just have to make sure that 1) the content of the given dir is not pushed to source control 2) the other users are aware they need their credentials written at that place. Alternatively, you could configure all this through local environment varialble referenced in your docker file or through a `.env` file you exlude from versionning. — Zeitounator, Jan 03 '23 at 20:19
`Approaches that do not work:` Great, so what works? How do _you_ want to transfer the credentials? `how to populate the external aws_credentials volume with data?` Mount the volume and copy the file. You can write a service that mounts the volume and puts credentials there. — KamilCuk, Jan 03 '23 at 20:23
Does this answer your question? [What is the right way to add data to an existing named volume in Docker?](https://stackoverflow.com/questions/37468788/what-is-the-right-way-to-add-data-to-an-existing-named-volume-in-docker) — KamilCuk, Jan 03 '23 at 20:26
@Zeitounator I thought about that, but it's still a reference to the host machine. What if another developer hosts his aws files not in `~/.aws` ? A repository should not contain references to external files reachable only from some machines, or make assumptions. — f.khantsis, Jan 04 '23 at 01:22

score 0 · Answer 1 · answered Jan 04 '23 at 01:26

One answer I came up with is using environment variables like so:

services:
  proj:
   secrets:
    - aws_credentials
   environment:
    AWS_CREDENTIAL_PROFILES_FILE: /run/secrets/aws_credentials
secrets:
  aws_credentials:
    file: ${awscredfile}

and making sure awscredfile is either loaded in the environment for the parent process of docker compose, or passed in in an env file with --env-file parameter to docker compose.

add a secret to container without exposing file locations to source control

1 Answers1