How to pass service token in Dockerfile

Need Help
1

Hello Guys I need help with the pass service token doppler in my docker file, I use command
docker build --build-arg "DOPPLER_TOKEN=$DOPPLER_TOKEN" . In my github action but after push image to aws my app is not running I received error message: Doppler Error: you must provide a token

FROM python:3.8.5-alpine

WORKDIR /code

COPY . /code/

RUN python -m pip install --upgrade pip && pip install -r requirements.txt

RUN (curl -Ls --tlsv1.2 --proto "=https" --retry 3 https://cli.doppler.com/install.sh || wget -t 3 -qO- https://cli.doppler.com/install.sh) | sh

ARG DOPPLER_TOKEN

CMD ["doppler", "run", "--", "python3", "send_doc.py"]

2

Hey @Elton and welcome to the Doppler community!

Your solution is really close! Instead of DOPPLER_TOKEN being a build ARG, Iā€™d change this to an environment variable that should be supplied as part of your deployment process to AWS.

A common workflow with our customers is storing the service token value in a GitHub Secret, then a cloud-init (user data) script embeds that value as a DOPPLER_TOKEN environment variable that is then passed to the container to be run.

Something like:

export DOPPLER_TOKEN="${{ secrets.DOPPLER_TOKEN }}"
docker run -d -e DOPPLER_TOKEN=$DOPPLER_TOKEN your-app
1 Like
3

In this case I will run command in aws docker run -d -e DOPPLER_TOKEN=$DOPPLER_TOKEN your-app ? My process in Github actions

- name: Build, tag, and push image to Amazon ECR
  id: build-image
  env:
    ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
    ECR_REPOSITORY: 1234566.dkr.ecr.us-east-1.amazonaws.com/pythonnetwork
    IMAGE_TAG: ${{ github.sha }}
  run: |
    docker build --build-arg=DOPPLER_TOKEN=${{ secrets.DOPPLER_TOKEN }} -t python-network .
    docker tag python-network:latest $ECR_REPOSITORY:latest
    docker push $ECR_REPOSITORY:latest

I think to create my docker file in this model.

FROM python:3.8.5-alpine

WORKDIR /code
COPY . /code/

RUN python -m pip install --upgrade pip && pip install -r requirements.txt

RUN (curl -Ls https://cli.doppler.com/install.sh || wget -qO- https://cli.doppler.com/install.sh) | sh

ARG DOPPLER_TOKEN

ENV DOPPLER_TOKEN ${DOPPLER_TOKEN}

CMD ["doppler", "run", "--", "python3", "send_doc.py"]

My application is working with the code above Thanks @ryan-blunden

1 Like
4

Glad you got it working @Elton!

Just be aware that embedding the service token in the image has the following implications:

  • Anyone that can pull the image can access the secrets linked to the service token
  • The image is now config specific as the secrets are tied to the image build

If this image is only for a single environment and you absolutely trust everyone that will ever have access to the image, then this is ok, but my recommendation would be to only supply the DOPPLER_TOKEN environment variable when running the container and not at build time.

Let me know if I can help you further.

2 Likes
5

Hello @ryan-blunden I use the image for a personal project, thank you for the tips, I will use it in the next steps.