Support for docker secrets exported as environment variables

[mhfowler]

Docker secrets are intentionally mounted into containers as files under /run/secrets/, which is a secure default. However, many applications and frameworks expect configuration via environment variables rather than files. As a result, users frequently resort to workarounds like:

entrypoint: >
  sh -c "export API_KEY=$(cat /run/secrets/api_key) && exec myapp"

This pattern is widely used and effectively gives the container an environment variable anyway — just with more boilerplate and no additional security compared to a built-in feature.

Providing an optional way to export a secret as an environment variable would significantly improve ergonomics in cases where this pattern is required.

Kubernetes, for example, supports this functionality: https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#define-a-container-environment-variable-with-data-from-a-single-secret

Docker could offer an equivalent mechanism with a syntax like:

secrets:
  - secret: api_key
    as_env: APP_API_KEY

This would avoid shell-based workarounds while keeping the current file-mount behavior as the default.

For example, in co-op cloud, which packages open source applications using docker swarm, there are many applications which require secrets as environment variables and this would be a great improvement on app packaging.

[Benehiko]

Hi @mhfowler we are in the process of releasing a new product called Secrets Engine which would support a secret resolution (from a list of sources) and secret injection into a container. The near-term release supports environment variables by default - specify the secret id and it will get resolved upon starting the container.

There is no official date of release yet, but we're working tirelessly to make it happen in the coming months.

# set my secret in the keychain as foo=bar
docker run -it --env FOO=se://foo busybox /bin/sh