Docker env vars and secrets

Topic: Containers core

Pass config with -e or env_file in compose; use Docker secrets or a secrets manager for sensitive data. Never bake secrets into images. Use this when configuring containers or handling secrets.

Intent: How-to

Quick answer

  • docker run -e VAR=value image. Compose: environment: or env_file:. Use ${VAR} in compose for substitution from host env.
  • Secrets: use docker secret (Swarm) or mount a file or use a vault. Never echo secrets into Dockerfile or commit .env with secrets.
  • Compose: secrets: define secret; use in service. For non-Swarm, use file mount or env_file with restricted permissions.

Prerequisites

Steps

  1. Non-secret config

    Use -e or environment/env_file. In compose use env_file or environment; substitute with ${VAR} from host.

  2. Secrets

    Use Docker secrets in Swarm; or bind-mount read-only secret file; or inject at runtime from vault. Restrict file perms.

  3. Verify

    Confirm app sees config; no secrets in image history or logs.

Summary

Use env vars and env_file for config; use secrets or mounted files for sensitive data; never store secrets in images.

Prerequisites

Steps

Step 1: Non-secret config

Pass with -e or environment/env_file; use ${VAR} in compose.

Step 2: Secrets

Use Docker secrets, file mounts, or vault; restrict permissions.

Step 3: Verify

Confirm app has config; ensure no secrets in image or logs.

Verification

  • Config present; secrets not in history or logs.

Troubleshooting

Var empty — Check host env or env_file. Secret exposed — Remove from image; use runtime injection.

Next steps

Continue to