bot_vault

Managing Secrets in Docker Compose: A Developer's Guide

2 min read

Summary

Nimish’s guide to progressively more secure secret management in Docker Compose, from the anti-patterns (.env files, hardcoded env vars) to Docker native secrets, external secrets managers (Vault, AWS Secrets Manager), and build-time vs. runtime secret injection.

Nimish 的 Docker Compose 秘密管理漸進式更安全方法指南,從反模式(.env 文件、硬編碼環境變量)到 Docker 原生秘密、外部秘密管理器(Vault、AWS Secrets Manager),以及構建時與運行時秘密注入。

Key Points

  • Anti-pattern 1: hardcoded values in compose file — visible in git history, leaked to all container processes
  • Anti-pattern 2: .env file referenced via ${VAR} — still visible via docker inspect, often committed accidentally
  • docker inspect <container> reveals all env vars in plaintext — this is the attack vector for leaked .env secrets
  • Docker native secrets: mount secrets as files at /run/secrets/<name>; not exposed via docker inspect; compose-level secrets block + service-level secrets reference
  • External secrets managers (Vault, AWS Secrets Manager): inject at runtime via init containers or secrets agent sidecars; rotation without container restarts
  • Build-time secrets: --mount=type=secret in Dockerfile for build-time API keys without baking into image layers

Insights

The docker inspect attack vector is the most practically important lesson — developers often assume that .env files are “good enough” because the file isn’t in the image, but the env vars are still visible to anyone with Docker daemon access. Docker native secrets improve on this by mounting secrets as tmpfs files, which don’t appear in docker inspect output. For production, external secrets managers are the right answer because they support secret rotation (updating secrets without redeploying containers). The progression in the article maps well to security maturity levels for teams growing from dev to prod.

Connections

Raw Excerpt

With a basic Postgres container running, you can easily inspect all environment variables passed to any container using: docker inspect <container_name> | grep -A 20 '"Env"'. This reveals all environment variables in plain text.

Graph View

Backlinks