Login/Register
Securing credentials for private PyPi in Docker
Asked Answered
Solved dockerpypi
S

2

7

I am building a Docker image and need to run pip install vs a private PyPi with credentials. What is the best way to secure the credentials? Using various file configuration options (pip.conf, requirements.txt, .netrc) is still a vulnerability even if I delete them because they can be recovered. Environment variables are also visible. What's the most secure approach?

Sonjasonnet answered 25/10, 2021 at 8:10 Comment(1)
Does this answer your question? Consume secret inside dockerfileAnlace
H
3

I understand that you want to provide those credentials on build time and get rid of them afterwards.

Well, the most secure way to handle this with pip would be by using a multi-stage build process.

First, you would declare an initial build-image with the file configurations and any dependency that could be needed to download/compile your desired packages; don't worry about the possibility of recovering those files, since you will only use them for the build process.

Afterwards define your final image without the build dependencies and copy only the source code you want to run from your project and the dependencies from the build image. The resultant image won't have the configuration files and it's impossible to recover them, since they never were there.

FROM python:3.10-slim as build
RUN apt-get update
RUN apt-get install -y --no-install-recommends \
    build-essential gcc

WORKDIR /usr/app
RUN python -m -venv /usr/app/venv
ENV PATH="/usr/app/venv/bin:$PATH"

[HERE YOU COPY YOUR CONFIGURATION FILES WITH CREDENTIALS]
COPY requirements.txt
RUN pip install -r requirements

FROM python:3.10-slim
WORKDIR /usr/app
COPY --from=build /usr/app/venv ./venv
[HERE YOU COPY YOUR SOURCE CODE INTO YOUR CURRENT WORKDIR]

ENV PATH="/usr/app/venv/bin:$PATH"
ENTRYPOINT ["python", "whatever.py"]
Holsinger answered 25/10, 2021 at 9:25 Comment(0)
S
2

Also there's a Docker BuildKit feature to pass files with secrets as a bind mount to Dockerfile without storing it in the layer.

Such a bind mount could be defined in RUN instruction like this

FROM python:slim

COPY requirements.txt requirements.txt
RUN --mount=type=secret,id=PIP_CONF_SECRET_ID,dst=/etc/pip.conf,readonly \
    pip3 install --no-cache-dir -r requirements.txt

And on docker build the source value could be passed like this

docker image build --secret id=PIP_CONF_SECRET_ID,src=${PIP_CONFIG_FILE} -t my-image:latest .
Schick answered 2/8, 2023 at 9:29 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.