This method allows you to feed secrets from Infisical into your container using the --env-file flag of docker run command. Rather than giving the flag a file path to your env file, you’ll use the Infisical CLI to create a virtual file path.

For this method to function as expected, you must have a bash shell (for processing substitution) and the Infisical CLI installed in the environment where you will be running the docker run command.

1. Authentication

If you are already logged in via the CLI you can skip this step. Otherwise, head to your organization settings in Infisical Cloud to create a Machine Identity. The machine identity will allow you to authenticate and fetch secrets from Infisical. Once you have created a machine identity with the required permissions, you’ll need to feed the token to the CLI.

Please note that we highly recommend using infisical login for local development.

Pass as flag

You may use the —token flag to set the token

infisical export --token=<>

Pass via shell environment variable

The CLI is configured to look for an environment variable named INFISICAL_TOKEN. If set, it’ll attempt to use it for authentication.

export INFISICAL_TOKEN=<>

You can use the infisical login --method=universal-auth command to directly obtain a universal auth access token and set it as an environment variable.

  export INFISICAL_TOKEN=$(infisical login --method=universal-auth --client-id=<your-client-id> --client-secret=<your-client-secret> --silent --plain)

In production scenarios, please to avoid using the infisical login command and instead use a machine identity.

2. Run your docker command with Infisical

Next, use the —env-file flag of the docker run command with Infisical CLI to point to your secrets. Under the hood, this command will fetch secrets from Infisical and serve them as a file to the --env-file flag.

# In this example, executing a docker run command will initiate an empty Alpine container and display the environment variables passed to it by Infisical.
docker run --rm --env-file <(infisical export --format=dotenv) alpine printenv

To view all options of the export command, click here

When using the —env-file option, Docker does not have the capability to support secrets that span multiple lines.