Agent Secrets Injection: Docker

Security · updated Fri Feb 27

Securely delivering API keys and database credentials to agents without leaking them in logs or images.

Steps

  1. Use `docker secrets` or `docker compose secrets` to mount keys as temporary files.
  2. Prohibit the use of `ARG` or `ENV` for sensitive data to prevent image-layer leaks.
  3. Mount `/run/secrets` as a read-only volume accessible only by the agent process.
  4. Rotate keys automatically; the agent must handle SIGTERM and reload new secrets.
  5. Scrub environment logs to ensure secrets are never echoed in `docker inspect` outputs.

view raw JSON →