Using secret multiple times in a Dockerfile is a nuisance

Open natdose opened this issue 5 months ago • 0 comments

Tell us about your request Using secret multiple times in a Dockerfile is a nuisance

Which service(s) is this request for? buildx (Dockerfiles)

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard? Secrets are a great 1st step - but they can be a giant nuisance:

I have many RUN steps in my Dockerfile that all need the same secret. Instead of declaring one single ARG at a suitable place in the Dockerfile, I know have to repeat the secret all over the place. See simplified example below.

Also, b/c of this, the --progress=tty option to docker build becomes unusable - unless I have an absolutely gigantic terminal width, the actual name of the step will be truncated from docker build's output, and I will only see the relatively unimportant flags dealing with the secret setup.

Docker bake is not an option for us, and combining the steps into one RUN command via the shell mechanisms like the && operator or Here-docs is not a clean solution IMO b/c it will do things like prevent layer caching and parallel build stages (in our case we're compiling dozens of things, each with their own RUN step).

That's the problem description. A simple solution from my naive standpoint would be to have Dockerfile-wide secrets, similar to `ARG`. IIUC the secrets are secure, so I wouldn't expect there to be a problem if a secret gets mounted in a `RUN` step that doesn't need it.

RUN --mount=type=secret,id=AWS_ACCESS_KEY_ID,env=AWS_ACCESS_KEY_ID \
    --mount=type=secret,id=AWS_SECRET_ACCESS_KEY,env=AWS_SECRET_ACCESS_KEY \
    step1
RUN --mount=type=secret,id=AWS_ACCESS_KEY_ID,env=AWS_ACCESS_KEY_ID \
    --mount=type=secret,id=AWS_SECRET_ACCESS_KEY,env=AWS_SECRET_ACCESS_KEY \
    step2
RUN --mount=type=secret,id=AWS_ACCESS_KEY_ID,env=AWS_ACCESS_KEY_ID \
    --mount=type=secret,id=AWS_SECRET_ACCESS_KEY,env=AWS_SECRET_ACCESS_KEY \
    step3
...

Are you currently working around the issue? For now, we're just living with the noise. We could think about parsing the output of --progress=plain or --progress=rawjson as mentioned here in the forum (https://forums.docker.com/t/using-secret-multiple-times-in-a-dockerfile-is-a-nuisance/149723?u=natdose) but this seems rather brittle.

Additional context Add any other context or screenshots about the feature request here.

Sep 11 '25 13:09 natdose

Using secret multiple times in a Dockerfile is a nuisance

That's the problem description. A simple solution from my naive standpoint would be to have Dockerfile-wide secrets, similar to ARG. IIUC the secrets are secure, so I wouldn't expect there to be a problem if a secret gets mounted in a RUN step that doesn't need it.

That's the problem description. A simple solution from my naive standpoint would be to have Dockerfile-wide secrets, similar to `ARG`. IIUC the secrets are secure, so I wouldn't expect there to be a problem if a secret gets mounted in a `RUN` step that doesn't need it.