docs/current_docs/cookbook/secrets.mdx
import UseSecretVariable from "@cookbookSecret/_use-secret-variable.mdx"; import MountFilesAsSecret from "@cookbookSecret/_mount-files-as-secret.mdx"; import UseSecretInDockerfileBuild from "@cookbookSecret/_dockerfile-build.mdx";
This page contains practical examples for working with secrets in Dagger. Each section below provides code examples in multiple languages and demonstrates different approaches to secret management and usage.
<UseSecretVariable /> <MountFilesAsSecret /> <UseSecretInDockerfileBuild />By default, the layer cache entries for operations that include a secret will be based on the plaintext value of the secret. Operations that include secrets with the same plaintext value may share cache entries, but if the plaintext differs then the operation will not share cache entries.
In some cases, users may desire that operations share the layer cache entries even if the secret plaintext value is different. For example, a secret may often rotate in plaintext value but not be meaningfully different; in these cases, it should still be possible to reuse the cache for operations that include that secret.
For these use cases, the optional cacheKey argument to Secret construction can be used to specify the "cache key" of the secret. Secrets that share the same cacheKey will be considered equivalent when checking the layer cache for operations that include them, even if their plaintext value differs.
Use a secret with a specified cache key:
<Tabs groupId="shell"> <TabItem value="System shell"> ```shell dagger -c 'github-api $(secret env://GITHUB_API_TOKEN --cache-key my-cache-key)' ``` </TabItem> <TabItem value="Dagger Shell"> ```shell title="First type 'dagger' for interactive mode." github-api $(secret env://GITHUB_API_TOKEN --cache-key my-cache-key) ``` </TabItem> <TabItem value="Dagger CLI"> ```shell dagger call github-api --token=env://GITHUB_API_TOKEN?cacheKey=my-cache-key ``` </TabItem> </Tabs>