Docker Run
Learn how to pass secrets to your docker container at run time.
This method allows you to feed secrets from Infisical into your container using the --env-file
flag of docker run
command.
Rather than giving the flag a file path to your env file, you’ll use the Infisical CLI to create a virtual file path.
For this method to function as expected, you must have a bash shell (for processing substitution) and the Infisical CLI installed in the environment where you will be running the docker run
command.
1. Authentication
If you are already logged in via the CLI you can skip this step. Otherwise, head to your organization settings in Infisical Cloud to create a Machine Identity. The machine identity will allow you to authenticate and fetch secrets from Infisical. Once you have created a machine identity with the required permissions, you’ll need to feed the token to the CLI.
Please note that we highly recommend using infisical login
for local development.
Pass as flag
You may use the —token flag to set the token
Pass via shell environment variable
The CLI is configured to look for an environment variable named INFISICAL_TOKEN
. If set, it’ll attempt to use it for authentication.
You can use the infisical login --method=universal-auth
command to directly obtain a universal auth access token and set it as an environment variable.
In production scenarios, please to avoid using the infisical login
command and instead use a machine identity.
2. Run your docker command with Infisical
Next, use the —env-file flag of the docker run
command with Infisical CLI to point to your secrets.
Under the hood, this command will fetch secrets from Infisical and serve them as a file to the --env-file
flag.
To view all options of the export
command, click here
When using the —env-file option, Docker does not have the capability to support secrets that span multiple lines.
Was this page helpful?