Docker build secrets in Coolify

Published: 8/20/2024

Coolify doesn’t currently (2024-08-20) officially support build secrets. There is a discussion on Discord with research on the topic. In some cases build secrets might appear to work, but they are unreliable.

Here’s a workaround using build args insead of secrets.

[!CAUTION]

Build variables are not a secure replacement for secrets! Using them makes the secret visible in the final built image. sh -c '...' is used to hide the secret from the build logs and the temp file is removed (rm /tmp/...), but the secret value will still be readable by inspecting the built image.

Environment variables are also stored in plain text in /data/coolify/applications/<id>/.env on the host system.

See also this documentation and this discussion.

Let’s say you have following files:

# docker-compose.yml
services:
  app:
    build:
      dockerfile: Dockerfile
      secrets:
        - TEST_SECRET

secrets:
  TEST_SECRET:
    environment: TEST_SECRET

# Dockerfile
FROM alpine:latest

RUN --mount=type=secret,id=TEST_SECRET \
  cat /run/secrets/TEST_SECRET > /test_secret_file

ENTRYPOINT ["tail", "-f", "/dev/null"]

Here’s how you use build args instead:

# docker-compose.yml
services:
  app:
    build:
      dockerfile: Dockerfile
      args:
        - TEST_SECRET

# Dockerfile
FROM alpine:latest

ARG TEST_SECRET
RUN sh -c 'echo "${TEST_SECRET}" > /tmp/TEST_SECRET' && \
  cat /tmp/TEST_SECRET > /test_secret_file
RUN unset TEST_SECRET && rm /tmp/TEST_SECRET

ENTRYPOINT ["tail", "-f", "/dev/null"]

See this article for more information about build args with Docker Compose and this test repository for a deployable example.