2 minutes
Using pip with github authentication securely in a docker build
Here’s an interesting trick. Say you need to build a docker container that installs a python package from a private github repository. How do you provide the credentials to pip without leaking those credentials? (Here’s an article that does a good job explaining why this is an issue.)
The solution is build kit. This is a feature behind the --secret flag for Docker 18.09+. It allows mounting files and environment variables during a build step, such that those files are not acccessible afterwards in the intermediary layer artifacts.
This allows us to install dependencies by adding a personal access token to the github url, securely.
We can obtain a token as described here.
For example, we would change the docker build command to the following to provide the secret token in the $FOO_REPO_SECRET environment variable. Note that build kit is disabled by default and must be enabled by setting the environment variable.
DOCKER_BUILDKIT=1 docker build --secret id=FOO_REPO_SECRET,env=FOO_REPO_SECRET -t IMG_NAME .
This creates a file, /run/secrets/FOO_REPO_SECRET, with the contents of $FOO_REPO_SECRET. Then, accordingly, we would modify the Dockerfile:
# Dockerfile
RUN --mount=type=secret,id=FOO_REPO_SECRET \
pip install git+https://$(</run/secrets/FOO_REPO_SECRET)@github.com/foo/bar
However, its not entirely robust. For example, this would fail if that repository had private dependencies itself. To deal with this, we would need to configure git.
Drawing from this article, we can adapt the “Silver Bullet” to Docker. With the same build command, we would change the Dockerfile like so:
RUN git config --global url."https://api@github.com/".insteadOf "https://github.com/" \
&& git config --global url."https://ssh@github.com/".insteadOf "ssh://git@github.com/" \
&& git config --global url."https://git@github.com/".insteadOf "git@github.com:" \
&& echo "cat /run/secrets/FOO_REPO_SECRET" > /.git-askpass \
&& chmod +x /.git-askpass
ENV GIT_ASKPASS=/.git-askpass
RUN --mount=type=secret,id=FOO_REPO_SECRET \
pip install -r requirements.txt
277 Words
2022-04-05 19:00