You can help by commenting or suggesting your edit directly into the transcript. We'll review any changes before posting them. All comments are completely anonymous. For any comments that need a reply, consider emailing docs@inductiveautomation.com.
LESSON LIST
LESSON
Docker Secrets
Description
Learn how to use Docker Secrets to hide sensitive information (like your password) in your compose file.
Resources
Transcript
(open in window)[00:00] Adding a plain text password to your docker compose file isn't a very secure practice. In this lesson, I'll demonstrate how to use Docker Secrets with Compose to obfuscate your passwords. I'll be doing this with a very simple Docker Compose project that contains Ignition gateways and assigns a gateway admin password via an environment variable. I'll start by creating a folder to house my password and I'm going to call it "secrets". Then in this folder, I'll create a file that's called "GATEWAY_PASSWORD". My default password for my gateway is currently just "password", but in the spirit of being more secure, I'm going to use a random assortment of letters, numbers, and symbols as the new password and I'll save my file. Now I can go back and modify my compose file. For demonstration purposes, I'll only be modifying the password of my frontend gateway. I'll add a new key called "secrets" to my frontend gateway service and then my secret will be called "gateway-password".
[01:03] Then at the bottom of the file, I'll add a section for secrets and add "gateway-password". And then the file that houses the secret, which is in the secrets folder I just created. The last step is to change the environment variable that passes the gateway admin password. Instead of a plain text password, this will point to the location of my secret. I can do this by appending the "_file" suffix to an environment variable and it lets it know that the variable will come from a file. Then I'll change this value from "password" to the default location of the secret, which is "/run /secrets/" and then the name of the secret, "gateway-password". These are all the pieces that I need, so now I can test it out. My containers are already running. So I'm going to use "docker compose down -v" to stop them and remove the existing volumes. Now I can start them up and I'll first log into the backend gateway to show it still using the old password.
[02:12] I can copy "password" from the compose file. And you can see that it logs me in. Now I'll log into the frontend gateway and I'll copy and paste the password that's in the "GATEWAY_PASSWORD" file. And you can see that that logs me in. That's all there is to it. As you can see secrets are useful when you don't want to reveal sensitive information in your compose file. For more information on Docker Secrets, you can refer to the Docker documentation linked in the description below.