docker-volume-backup icon indicating copy to clipboard operation
docker-volume-backup copied to clipboard

Published 20 hours ago verified publisher icon jareware

Use Swarm Secrets for receive AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY

Open tmm360 opened this issue 3 years ago • 5 comments

Currently S3 documentation with compose file reports:

AWS_ACCESS_KEY_ID: ${AWS_ACCESS_KEY_ID}   # Read AWS secrets from environment (or a .env file)
AWS_SECRET_ACCESS_KEY: ${AWS_SECRET_ACCESS_KEY}

but .env file is not supported with a Stack deployment over Swarm. Instead, Swarm implements Secrets that would be a better solution for security purpose.

Use of them have to be implemented with the application, reading for example from /run/secrets/aws_access_key_id and /run/secrets/aws_secret_access_key, because secrets are not injectable directly from docker-stack.yml into environemnt.

tmm360 avatar Apr 29 '21 00:04 tmm360

This makes sense.

Want to open a PR? 🙂

jareware avatar May 07 '21 09:05 jareware

Ok I can, but I will need some time. 👍

tmm360 avatar May 07 '21 14:05 tmm360

Any progress on this?

marcin-wlodarczyk avatar Feb 21 '22 23:02 marcin-wlodarczyk

no sorry, very busy with other projects... at this point if other wants to open PR, please

tmm360 avatar Feb 21 '22 23:02 tmm360

I think you do not need to alter the script but rather alter the readme.

I solved the problem by just creating the whole credentials file as a secret and referencing the actual file with the env var AWS_SHARED_CREDENTIALS_FILE. Btw. not only for secrets but also pretty useful for local environments, if you prefer to store the credentials not within yml.

i.e.:

backup:
   image: jareware/docker-volume-backup
   environment:
     AWS_S3_BUCKET_NAME: my-backup-bucket      # S3 bucket which you own, and already exists
     AWS_SHARED_CREDENTIALS_FILE: /run/secrets/aws3_credentials
   secrets:
     aws3_credentials

schiggi avatar Nov 18 '22 19:11 schiggi