在docker容器中获取弹性beanstalk环境变量

Question

So, i'm trying not to put sensitive information on the dockerfile. A logical approach is to put the creds in the ebs configuration (the GUI) as a ENV variable. However, docker build doesn't seem to be able to access the ENV variable. Any thoughts?

FROM jupyter/scipy-notebook

USER root

ARG AWS_ACCESS_KEY_ID
RUN echo {$AWS_ACCESS_KEY_ID}

Answer 1

Putting sensitive information (for a Dockerfile to use) can be either for allowing a specific step of the image to run (build time), or for the resulting image to have that secret still there at runtime.
For runtime, if you can use the latest docker 1.13 in a swarm mode configuration, you can manage secrets that way

But the first case (build time) is typically for passing credentials to an http_proxy , and that can be done with --build-arg :

 docker build --build-arg HTTP_PROXY=http://...

This flag allows you to pass the build-time variables that are accessed like regular environment variables in the RUN instruction of the Dockerfile.
Also, these values don't persist in the intermediate or final images like ENV values do.

In that case, you would not use ENV , but ARG :

ARG <name>[=<default value>]

The ARG instruction defines a variable that users can pass at build-time to the builder with the docker build command using the --build-arg <varname>=<value> flag

Answer 2

I assume that for every deployment you create a new Dockerrun.aws.json file with the correct docker image tag for that deployment. At deployment stage, you can inject environment values which will then be used in docker run command by EB agent. So your docker containers can now access to these environment variables.