ContextQMD
Back to Infisical

Docker Entrypoint

docs/integrations/platforms/docker.mdx

0.159.255.5 KB
Original Source

This approach allows you to inject secrets from Infisical directly into your application. This is achieved by installing the Infisical CLI into your docker image and modifying your start command to execute with Infisical.

Install the Infisical CLI to your Dockerfile

To install the CLI, follow the instructions for your chosen distribution here.

<Tip> We recommend you to set the version of the CLI to a specific version. This will help keep your CLI version consistent across reinstalls. [View versions](https://github.com/Infisical/cli/releases) </Tip>

Modify the start command in your Dockerfile

Starting your service with the Infisical CLI pulls your secrets from Infisical and injects them into your service.

<Tabs> <Tab title="Machine Identity (Recommended)"> ```dockerfile CMD ["infisical", "run", "--projectId", "<your-project-id>", "--", "[your service start command]"]

example with single single command

CMD ["infisical", "run", "--projectId", "<your-project-id>", "--", "npm", "run", "start"]

example with multiple commands

CMD ["infisical", "run", "--projectId", "<your-project-id>", "--command", "npm run start && ..."]


<Steps>
  <Step title="Generate a machine identity">
    Generate a machine identity for your project by following the steps in the [Machine Identity](/documentation/platform/identities/machine-identities) guide. The machine identity will allow you to authenticate and fetch secrets from Infisical.
  </Step>
  <Step title="Obtain an access token for the machine identity">
    Obtain an access token for the machine identity by running the following command:
    ```bash
    export INFISICAL_TOKEN=$(infisical login --method=universal-auth --client-id=<your-client-id> --client-secret=<your-client-secret> --plain --silent)
    ```

    <Info>
     Please note that the access token has a limited lifespan. The `infisical token renew` command can be used to renew the token if needed.
    </Info>
  </Step>
  <Step title="Feed the access token to the docker container">
    The last step is to give the Infisical CLI installed in your Docker container access to the access token. This will allow the CLI to fetch and inject the secrets into your application.

    To feed the access token to the container, use the INFISICAL_TOKEN environment variable as shown below.

    ```bash
    docker run --env INFISICAL_TOKEN=$INFISICAL_TOKEN [DOCKER-IMAGE]...
    ```
  </Step>
</Steps>

### Using a Starting Script

The drawback of the previous method is that you would have to generate the `INFISICAL_TOKEN` manually. To automate this process, you can use a shell script as your starting command.

<Steps>
  <Step title="Generate a Machine Identity">
    Create a machine identity for your project by following the steps in the [Machine Identity](/documentation/platform/identities/machine-identities) guide. This identity will enable authentication and secret retrieval from Infisical.
  </Step>

  <Step title="Create the Shell Script">
    Create a shell script to obtain an access token for the machine identity:

    ```bash script.sh
    #!/bin/sh
    export INFISICAL_TOKEN=$(infisical login --method=universal-auth --client-id=$INFISICAL_MACHINE_CLIENT_ID --client-secret=$INFISICAL_MACHINE_CLIENT_SECRET --plain --silent)
    exec infisical run --token $INFISICAL_TOKEN --projectId $PROJECT_ID --env $INFISICAL_SECRET_ENV --domain $INFISICAL_API_URL -- <starting script>
    ```

    > **Note:** The access token has a limited lifespan. Use the [infisical token renew](/cli/commands/token) CLI command to renew it when necessary.
		<Warning>
		Caution: Implementing this directly in your Dockerfile presents two key issues:

		1. Lack of persistence: Variables set in one build step are not automatically carried over to subsequent steps, complicating the process.
		2. Security risk: It exposes sensitive credentials inside your container, potentially allowing anyone with container access to retrieve them.
		</Warning>
  </Step>

  <Step title="Update Your Dockerfile">
    Grant the Infisical CLI access to the access token, inside your Docker container. This allows the CLI to fetch and inject secrets into your application.

    Add the following line to your Dockerfile:

    ```dockerfile
    CMD ["./script.sh"]
    ```
  </Step>
</Steps>

</Tab>
<Tab title="Service Token (Deprecated)">
```dockerfile
CMD ["infisical", "run", "--", "[your service start command]"]

# example with single single command
CMD ["infisical", "run", "--", "npm", "run", "start"]

# example with multiple commands
CMD ["infisical", "run", "--command", "npm run start && ..."]
<Steps> <Step title="Generate a service token"> Head to your project settings in the Infisical dashboard to generate an [service token](/documentation/platform/token). This service token will allow you to authenticate and fetch secrets from Infisical. Once you have created a service token with the required permissions, you’ll need to feed the token to the CLI installed in your docker container. </Step> <Step title="Feed service token to docker container"> The last step is to give the Infisical CLI installed in your Docker container access to the service token. This will allow the CLI to fetch and inject the secrets into your application. 
  To feed the service token to the container, use the INFISICAL_TOKEN environment variable as shown below.

  ```bash
  docker run --env INFISICAL_TOKEN=[token] [DOCKER-IMAGE]...
  ```
</Step>
</Steps> </Tab> </Tabs>