Hey,

You can now configure Docker build secrets in the Build and Push step using YAML. This feature allows specifying secrets via envDockerSecrets and/or fileDockerSecrets fields, applicable when running build-and-push steps using Buildx (not Kaniko). Note that using Buildx in Kubernetes build infrastructure requires privileged access.

Please see release notes https://developer.harness.io/release-notes/continuous-integration#new-features-and-enhancements

Usage example is available under 'mounting docker secrets' in this documentation page https://developer.harness.io/docs/continuous-integration/use-ci/build-and-upload-artifacts/build-and-push/build-and-push-to-docker-registry/#environment-variables-plugin-runtime-flags

Regards,

Nofar Bluestein

CI product team

This is something we have a need for as well.

Is there been any timeframe from the Harness team on when this will be implemented? (I see it was marked as "Long-Term" 4 months ago, has there been any movement here?)

See https://docs.docker.com/engine/reference/commandline/buildx_build/#secret

We want the ability to be able to use this functionality against the built in Docker Build and Push steps (e.g. Build and Push to ECR) so we can define secrets in an appropriate way i.e. not as env or build args that stay within the built Docker image potentially leaking the secrets.

This mechanism allows secrets to be used as part of the Docker build but without actually keeping them within the created image, which is good security practice.

For now to work around this we need to use docker in docker and run for example the below command

docker build -t ${DEV_REPOSITORY}/${CONTAINER_IMAGE_NAME}:${TAG} --secret id=AWS_ACCESS_KEY_ID --secret id=AWS_SECRET_ACCESS_KEY --secret id=AWS_REGION --build-arg HARNESS_BASE_IMAGE_TAG=${HARNESS_BASE_IMAGE_TAG} .

Hi Paul, Thank you for submitting this request. Can you please describe your scenario and a mock pipeline to illustrate your use-case?