Docker
Docker Entrypoint
Learn how to use Infisical to inject environment variables into a Docker container.
This approach allows you to inject secrets from Infisical directly into your application.
This is achieved by installing the Infisical CLI into your docker image and modifying your start command to execute with Infisical.
Add the Infisical CLI to your Dockerfile
We recommend you to set the version of the CLI to a specific version. This will help keep your CLI version consistent across reinstalls. View versions
Modify the start command in your Dockerfile
Starting your service with the Infisical CLI pulls your secrets from Infisical and injects them into your service.1
Generate a machine identity
Generate a machine identity for your project by following the steps in the Machine Identity guide. The machine identity will allow you to authenticate and fetch secrets from Infisical.
2
Obtain an access token for the machine identity
Obtain an access token for the machine identity by running the following command:
Please note that the access token has a limited lifespan. The
infisical token renew command can be used to renew the token if needed.3
Feed the access token to the docker container
The last step is to give the Infisical CLI installed in your Docker container access to the access token. This will allow the CLI to fetch and inject the secrets into your application.To feed the access token to the container, use the INFISICAL_TOKEN environment variable as shown below.
Using a Starting Script
The drawback of the previous method is that you would have to generate theINFISICAL_TOKEN manually. To automate this process, you can use a shell script as your starting command.1
Generate a Machine Identity
Create a machine identity for your project by following the steps in the Machine Identity guide. This identity will enable authentication and secret retrieval from Infisical.
2
Create the Shell Script
Create a shell script to obtain an access token for the machine identity:
script.sh
Note: The access token has a limited lifespan. Use the infisical token renew CLI command to renew it when necessary.
Caution: Implementing this directly in your Dockerfile presents two key issues:
- Lack of persistence: Variables set in one build step are not automatically carried over to subsequent steps, complicating the process.
- Security risk: It exposes sensitive credentials inside your container, potentially allowing anyone with container access to retrieve them.
3
Update Your Dockerfile
Grant the Infisical CLI access to the access token, inside your Docker container. This allows the CLI to fetch and inject secrets into your application.Add the following line to your Dockerfile: