Powered by GitBook

Secrets With Services

There are two ways to create secret in swarm
- Give it a file as an argument
- echo our secret to command

~> cat psql_user.txt
mypsqluser

~> docker secret create psql_user psql_user.txt
q4xgw4b6dvjxk2fjg88aiuics

~> echo 'myDBpassWORD' | docker secret create psql_pass -
wmrz0hdobsb3fbruf0hrqgdn4

Docker never expose secret to a user directly
Only created containers and services have access to decrypted secrets

~> docker secret inspect psql_user
[
    {
        "ID": "q4xgw4b6dvjxk2fjg88aiuics",
        "Version": {
            "Index": 283
        },
        "CreatedAt": "2017-10-04T16:34:37.483093429Z",
        "UpdatedAt": "2017-10-04T16:34:37.483093429Z",
        "Spec": {
            "Name": "psql_user",
            "Labels": {}
        }
    }
]

Service has access to assigned secret

~> docker service create --name psql --secret psql_user --secret psql_pass -e POSTGRES_PASSWORD_FILE=/run/secrets/psql_pa
ss -e POSTGRES_USER_FILE=/run/secrets/psql_user postgres
42773fipnmxaage7ucu3xq0go

~> docker service ps psql
ID                  NAME                IMAGE               NODE                DESIRED STATE       CURRENT STATE           ERROR               PORTS
gb0euuj7neya        psql.1              postgres:latest     node3               Running             Running 2 seconds ago

~> docker exec -it psql.1.gb0euuj7neyag7qb55ookc72t bash
root@9ddfc22579b1:/# ls /run/secrets/
psql_pass  psql_user
root@9ddfc22579b1:/# cat /run/secrets/psql_user
mypsqluser

Removing secrets will re-deploy the container

docker service update --secret-add
docker service update --secret-rm

results matching ""

No results matching ""