containers
Empty secret when set from environment variable with `--secret id=MYSECRET,type=env`
When playing with secrets I first passed with the following options:
MYSECRET=foobar buildah bud --secret id=MYSECRET,type=env
FROM alpine:latest
RUN --mount=type=secret,id=MYSECRET echo "MYSECRET: $(cat /run/secrets/MYSECRET)"
But the secret file is empty. Seems there is a missing case in https://github.com/containers/buildah/blob/release-1.37/pkg/parse/parse.go#L1264 that checks for type=env.
I know know after studying the code and the latest changes to the manual that I can simply omit thetype=env
but I still think that this case should be fixed.
A friendly reminder that this issue had no activity for 30 days.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
@r10r How is omitting the type=env solving your problem? If I try to pass a secret from an env variable to the buildah bud I get the following error: error creating build executor: incorrect secret flag format: should be --secret id=foo,src=bar
E.g. buildah bud --secret id=mySecret
A friendly reminder that this issue had no activity for 30 days.
@r10r - The problem appears to be the difference between the id= in your buildah command and the Containerfile. The id= in both the command and the file is the name the secret will be referred to from within the container.
I can replicate your issue if I run buildah with id=mysecret (lowercase, with the Containerfile using uppercase id=MYSECRET)...
MYSECRET=foobar buildah bud --secret id=mysecret,env=MYSECRET .
STEP 1/2: FROM alpine:latest
STEP 2/2: RUN --mount=type=secret,id=MYSECRET echo "MYSECRET: $(cat /run/secrets/MYSECRET)"
cat: can't open '/run/secrets/MYSECRET': No such file or directory
MYSECRET:
<snipped commit blurb>
...but your Containerfile and command will work if you run buildah with id=MYSECRET (uppercase in both the command and the Containerfile) :
MYSECRET=foobar buildah bud --secret id=MYSECRET,env=MYSECRET .
STEP 1/2: FROM alpine:latest
STEP 2/2: RUN --mount=type=secret,id=MYSECRET echo "MYSECRET: $(cat /run/secrets/MYSECRET)"
MYSECRET: foobar
<snipped commit blurb>
Much later edit: I can't for the life of me figure out where I got that OP had lowercase in one place and uppercase in the other. Was the original edited but Github isn't showing it as edited? Or did my quest to try to spread my recent secrets learnings result in me putting a comment in a place it didn't belong? I really don't know, and I apologize either way, but I will be leaving this comment just in case it helps someone else in the future with something else to look out for.
I am running into the same issue on Macbook M4 with podman:
podman build --secret id=USERNAME,env=USERNAME,type=env .
FROM ghcr.io/astral-sh/uv:python3.12-bookworm-slim
RUN --mount=type=secret,id=USERNAME \
echo "it will be empty!" &&\
echo $(cat /run/secrets/USERNAME)
export USERNAME="foo" && podman build --secret id=USERNAME,env=USERNAME,type=env -f Test-Dockerfile
STEP 1/2: FROM ghcr.io/astral-sh/uv:python3.12-bookworm-slim
WARNING: image platform (linux/amd64) does not match the expected platform (linux/arm64)
STEP 2/2: RUN --mount=type=secret,id=USERNAME echo "it will be empty!" && echo $(cat /run/secrets/USERNAME)
it will be empty!
COMMIT
--> 4c26bb0471c8
4c26bb0471c80c501f16452925d9bb3f51062f302ea5edff066440f7d0c63c7e
