I'm using a simple Docker setup where I include secrets like database credentials and API keys through an .env file for my PHP application running in the container. However, I'm unsure how to register or access those secrets when I deploy a Docker image. I feel that sending an .env file isn't the best approach, but I want my PHP application to remain portable and fetch its configuration from environment variables. How can I get env vars into a Docker image during deployment? For instance, if those variables are stored in a service like AWS Secrets Manager, I'm confused about how to manage that process beyond just a dev environment with .env files.
5 Answers
If you're open to adjustments, look into using HashiCorp Vault for managing secrets.
It really depends on where you're deploying. If you're on Kubernetes, you can sync secrets from external storage like Vault. For a VPS, you can retrieve secrets using a simple bash script to call your secret store and inject them as environment variables. Alternatively, consider building your secrets directly into your app at startup to avoid using env vars.
To handle secrets properly, you should store them safely and make them available in your Docker container by assigning them to environment variables or by mounting them as files. For instance, you could create different .env files for development and production, like .env-dev and .env-prod, and mount the appropriate one to /.env in your container depending on where it’s running.
You can pass environment variables at runtime using Docker commands. Check out the Docker documentation for setting them via the `docker container run` command or using Docker Compose. Here’s a quick link for reference: [Docker Docs on Environment Variables](https://docs.docker.com/reference/cli/docker/container/run/#env). Just be cautious with your links to avoid wrong redirects.
When you build your Docker image, set the secrets as environment variables using the ENV directive in your Dockerfile. You can also utilize Docker secrets to manage sensitive data, where secrets are stored in files and read by your container at runtime.
Just a heads up, adding secrets at build time can be risky. If you're using AWS, consider loading them at runtime with AWS ParameterStore or Secrets Manager instead.